Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
10/02/2022, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe
Resource
win10v2004-en-20220112
General
-
Target
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe
-
Size
127KB
-
MD5
c731cbf04c68430f31ff0ab1b0b1f054
-
SHA1
f3c14e25584475f01f417e3ec45474aa8de4400d
-
SHA256
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e
-
SHA512
1f188fa26c4554f4c3fdb73ea7c105b76a354f6444f4977eee5fc0b31df9b880118e912bb86bdf93874c55b081713ae51b32115ab600bdeda0ec62e61f3b7b61
Malware Config
Extracted
C:\Program Files\RECOVERY INFORMATION.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3756 bcdedit.exe 3780 bcdedit.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ReadResolve.raw => C:\Users\Admin\Pictures\ReadResolve.raw.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\SendGet.png => C:\Users\Admin\Pictures\SendGet.png.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\ResumeMount.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\ResumeMount.tiff => C:\Users\Admin\Pictures\ResumeMount.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\WriteResolve.raw => C:\Users\Admin\Pictures\WriteResolve.raw.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\MoveProtect.tif => C:\Users\Admin\Pictures\MoveProtect.tif.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\K: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\L: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\T: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\U: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\E: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\F: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\G: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\Z: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\V: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\X: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\Y: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\Q: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\R: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\W: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\I: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\M: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\N: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\O: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\P: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\S: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\A: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\B: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\J: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_unselected_18.svg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_fw.png 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\ui-strings.js 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mk.pak 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files\Microsoft Office\root\vfs\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-selector.js 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1468 vssadmin.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132891718388411033" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.032727" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.869828" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3816" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe Token: SeDebugPrivilege 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe Token: SeBackupPrivilege 1156 vssvc.exe Token: SeRestorePrivilege 1156 vssvc.exe Token: SeAuditPrivilege 1156 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3528 wrote to memory of 1468 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 59 PID 3528 wrote to memory of 1468 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 59 PID 3528 wrote to memory of 832 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 61 PID 3528 wrote to memory of 832 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 61 PID 3528 wrote to memory of 1500 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 63 PID 3528 wrote to memory of 1500 3528 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 63 PID 832 wrote to memory of 3756 832 cmd.exe 66 PID 832 wrote to memory of 3756 832 cmd.exe 66 PID 1500 wrote to memory of 3780 1500 cmd.exe 67 PID 1500 wrote to memory of 3780 1500 cmd.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe"C:\Users\Admin\AppData\Local\Temp\98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1468
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3756
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3780
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:4068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2852