Analysis
-
max time kernel
167s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 21:41
Static task
static1
Behavioral task
behavioral1
Sample
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
Resource
win10v2004-en-20220113
General
-
Target
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
-
Size
99KB
-
MD5
20abc2fc4ae0ddc631322df67c828c17
-
SHA1
30fc7b84a438df84624e79d5365d4bd959fb5f72
-
SHA256
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
-
SHA512
cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
Malware Config
Extracted
C:\Users\Admin\Music\# DECRYPT MY FILES #.txt
http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exeexpand.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe -
Executes dropped EXE 7 IoCs
Processes:
expand.exeexpand.exeexpand.exeexpand.exeexpand.exeexpand.exeexpand.exepid process 4532 expand.exe 1052 expand.exe 4908 expand.exe 4188 expand.exe 3404 expand.exe 1712 expand.exe 948 expand.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
expand.exeexpand.exeexpand.exeexpand.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion expand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion expand.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
expand.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation expand.exe -
Drops startup file 2 IoCs
Processes:
expand.exe022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk expand.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
expand.exe022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce expand.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run expand.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ipinfo.io 16419 ipinfo.io -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4512 taskkill.exe 4824 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
expand.exe022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop expand.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" expand.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{039EB981-FDFB-E250-78E7-3E7222249782}\\expand.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 2 IoCs
Processes:
expand.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings expand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
expand.exeexpand.exeexpand.exeexpand.exepid process 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 4532 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 1052 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 3404 expand.exe 1712 expand.exe 1712 expand.exe 1712 expand.exe 1712 expand.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exeexpand.exetaskkill.exeexpand.exeexpand.exeexpand.exeexpand.exeexpand.exeAUDIODG.EXEexpand.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Token: SeDebugPrivilege 4532 expand.exe Token: SeDebugPrivilege 4512 taskkill.exe Token: SeDebugPrivilege 1052 expand.exe Token: SeDebugPrivilege 4908 expand.exe Token: SeDebugPrivilege 4188 expand.exe Token: SeDebugPrivilege 3404 expand.exe Token: SeDebugPrivilege 1712 expand.exe Token: 33 2164 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2164 AUDIODG.EXE Token: SeDebugPrivilege 948 expand.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeShutdownPrivilege 528 svchost.exe Token: SeCreatePagefilePrivilege 528 svchost.exe Token: SeShutdownPrivilege 528 svchost.exe Token: SeCreatePagefilePrivilege 528 svchost.exe Token: SeShutdownPrivilege 528 svchost.exe Token: SeCreatePagefilePrivilege 528 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.execmd.exeexpand.exemsedge.exedescription pid process target process PID 4272 wrote to memory of 4532 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe expand.exe PID 4272 wrote to memory of 4532 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe expand.exe PID 4272 wrote to memory of 4532 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe expand.exe PID 4272 wrote to memory of 4464 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 4272 wrote to memory of 4464 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 4272 wrote to memory of 4464 4272 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 4464 wrote to memory of 4512 4464 cmd.exe taskkill.exe PID 4464 wrote to memory of 4512 4464 cmd.exe taskkill.exe PID 4464 wrote to memory of 4512 4464 cmd.exe taskkill.exe PID 4464 wrote to memory of 1976 4464 cmd.exe PING.EXE PID 4464 wrote to memory of 1976 4464 cmd.exe PING.EXE PID 4464 wrote to memory of 1976 4464 cmd.exe PING.EXE PID 4532 wrote to memory of 1052 4532 expand.exe expand.exe PID 4532 wrote to memory of 1052 4532 expand.exe expand.exe PID 4532 wrote to memory of 1052 4532 expand.exe expand.exe PID 4532 wrote to memory of 4188 4532 expand.exe expand.exe PID 4532 wrote to memory of 4188 4532 expand.exe expand.exe PID 4532 wrote to memory of 4188 4532 expand.exe expand.exe PID 4532 wrote to memory of 3404 4532 expand.exe expand.exe PID 4532 wrote to memory of 3404 4532 expand.exe expand.exe PID 4532 wrote to memory of 3404 4532 expand.exe expand.exe PID 4532 wrote to memory of 1660 4532 expand.exe NOTEPAD.EXE PID 4532 wrote to memory of 1660 4532 expand.exe NOTEPAD.EXE PID 4532 wrote to memory of 1156 4532 expand.exe msedge.exe PID 4532 wrote to memory of 1156 4532 expand.exe msedge.exe PID 4532 wrote to memory of 1928 4532 expand.exe WScript.exe PID 4532 wrote to memory of 1928 4532 expand.exe WScript.exe PID 4532 wrote to memory of 1712 4532 expand.exe expand.exe PID 4532 wrote to memory of 1712 4532 expand.exe expand.exe PID 4532 wrote to memory of 1712 4532 expand.exe expand.exe PID 1156 wrote to memory of 4724 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 4724 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe PID 1156 wrote to memory of 3460 1156 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat -1 -wait "=a-Akau5uWl9~{s!#h^+DMlH(vSVs"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -watchdog3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 943⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:1660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc421846f8,0x7ffc42184708,0x7ffc421847184⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:24⤵PID:3460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:34⤵PID:4808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:84⤵PID:1160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:14⤵PID:2500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:14⤵PID:2380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 /prefetch:84⤵PID:5056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵PID:1744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:14⤵PID:4736
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:1928
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 94 -wait "fJ6yWW{F[G4HP@_<c#)gAVg^{C57M"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "expand.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" > NUL3⤵PID:888
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "expand.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:3796 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:1976
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exeC:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x3d81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:528
-
C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exeC:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6aae9f9d151f331526525f46fccae36a
SHA11957facf14140ebb1a79409db3754656e11e5653
SHA256c699235148818f9fe1d1b247ec6d81c17741c4d7d10708b94e45a1f92ef14f17
SHA5126da0e8aa7c0f7d19ad4751c00b2a00916cd00c115d8de76c3a63b85218a474a014d8523220e5950f97ad8ff03ef1908e86b776832c0e7c6d5b64aefa27911221
-
MD5
6aae9f9d151f331526525f46fccae36a
SHA11957facf14140ebb1a79409db3754656e11e5653
SHA256c699235148818f9fe1d1b247ec6d81c17741c4d7d10708b94e45a1f92ef14f17
SHA5126da0e8aa7c0f7d19ad4751c00b2a00916cd00c115d8de76c3a63b85218a474a014d8523220e5950f97ad8ff03ef1908e86b776832c0e7c6d5b64aefa27911221
-
MD5
6aae9f9d151f331526525f46fccae36a
SHA11957facf14140ebb1a79409db3754656e11e5653
SHA256c699235148818f9fe1d1b247ec6d81c17741c4d7d10708b94e45a1f92ef14f17
SHA5126da0e8aa7c0f7d19ad4751c00b2a00916cd00c115d8de76c3a63b85218a474a014d8523220e5950f97ad8ff03ef1908e86b776832c0e7c6d5b64aefa27911221
-
MD5
80a0adcff2b2024a62b6df336d87fc09
SHA1969ed6415a4ac15d1bd9b8f8d5dfbe5cf384c581
SHA256c189f08ad5805ef400e04e53ebddcd5aae32ac0a631a89b05ca660588badd342
SHA51228023d5e6b3916cc9b5e2c9976f8ec869114ae0605653993590ff1bec8fd8037f6b9d771d355308d4eb00c0096922387ed38050ed8ef5b92394808d0eccc134b
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
1357438938043a6c3b6e0112f0d41288
SHA11e5ffb3daa9640814773b93eb5fff41bbeb5032f
SHA25638fb951ac813f91b4d0d974b8887fb7c42b6f564ec2f9c27c61a7e09317d8553
SHA512fac43821cf25c864acc627eff2bff516f4504fee653add5f1bc5ba0df322af8acb320238bd02f480211bad3333c47c0bbf997daa47d802743de5d335d139dea5
-
MD5
5ea9047a3e6f390a8513c4229e9cf9f4
SHA18bd71446a14c947a8fd443cd68dd4660e699b777
SHA256103907eaae027d008eb389842b9e80852cd743245f1bdfc76ced06d4f9ec1976
SHA512c717ea2c3349b215741affd78f73a069f90abb4795bb7fc1b530f04be1da710cefec67a768acf6b3297ea49f18e34b7a32252cf81043bae4eb250eaafca7aa98
-
MD5
e9ffd9f618cbf36ad6c910c161bb8080
SHA1a702b4220bbded577b4b699611bb73593b12ae71
SHA256020ca4b4574a40418b8aa4c2d74b0488e9d150e8d3f5e56e5c6dcca6f7dfaaac
SHA512ee87264e384579df7b74d7ac08e9a490495efa34f1a99e2d4949cb76b839c165fbb281aacae25f4ab7e911401c7bfa3fba4b0e59dd492566985fb8dbd1cf1bef
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e