Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
14-02-2022 15:41
Static task
static1
Behavioral task
behavioral1
Sample
ecfPJqv.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ecfPJqv.exe
Resource
win10v2004-en-20220112
General
-
Target
ecfPJqv.exe
-
Size
53KB
-
MD5
11fea5d1914bb2a69c21d33e4d57075e
-
SHA1
0805389d789d5d7cc1445c0b49563f8646975613
-
SHA256
9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc
-
SHA512
43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe
Malware Config
Extracted
C:\$Recycle.Bin\README_7639322.txt
wowsmith123456@posteo.net
33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3716 bcdedit.exe 3200 bcdedit.exe -
Disables Task Manager via registry modification
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ecfPJqv.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PushUndo.tiff ecfPJqv.exe File opened for modification C:\Users\Admin\Pictures\RestoreMerge.tiff ecfPJqv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ecfPJqv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ecfPJqv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecfPJqv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ecfPJqv.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfPJqv.exe" ecfPJqv.exe -
Drops desktop.ini file(s) 25 IoCs
Processes:
ecfPJqv.exedescription ioc process File created C:\Users\Admin\OneDrive\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Saved Games\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Searches\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Contacts\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Desktop\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Documents\desktop.ini ecfPJqv.exe File created C:\Users\Public\AccountPictures\desktop.ini ecfPJqv.exe File created C:\Users\Public\Music\desktop.ini ecfPJqv.exe File created C:\Users\Public\Libraries\desktop.ini ecfPJqv.exe File created C:\Users\Public\Videos\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Downloads\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Music\desktop.ini ecfPJqv.exe File created C:\Users\Public\Desktop\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Videos\desktop.ini ecfPJqv.exe File created C:\Users\Public\desktop.ini ecfPJqv.exe File created C:\Users\Public\Documents\desktop.ini ecfPJqv.exe File created C:\Users\Public\Downloads\desktop.ini ecfPJqv.exe File created C:\Users\Admin\3D Objects\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Favorites\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Favorites\Links\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Links\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Pictures\desktop.ini ecfPJqv.exe File created C:\Users\Public\Pictures\desktop.ini ecfPJqv.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ecfPJqv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ecfPJqv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ecfPJqv.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ecfPJqv.exedescription ioc process File created C:\Program Files\README_7639322.txt ecfPJqv.exe File created C:\Program Files (x86)\README_7639322.txt ecfPJqv.exe -
Drops file in Windows directory 4 IoCs
Processes:
svchost.exeTiWorker.exeecfPJqv.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File created C:\Windows\README_7639322.txt ecfPJqv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2644 vssadmin.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4356" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013119" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895033154951390" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.108939" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3860" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.454273" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe -
Modifies registry class 1 IoCs
Processes:
ecfPJqv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings ecfPJqv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1568 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecfPJqv.exepid process 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe 3636 ecfPJqv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ecfPJqv.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 3636 ecfPJqv.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe Token: SeBackupPrivilege 3460 TiWorker.exe Token: SeRestorePrivilege 3460 TiWorker.exe Token: SeSecurityPrivilege 3460 TiWorker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ecfPJqv.execmd.execmd.exedescription pid process target process PID 3636 wrote to memory of 3616 3636 ecfPJqv.exe cmd.exe PID 3636 wrote to memory of 3616 3636 ecfPJqv.exe cmd.exe PID 3636 wrote to memory of 3244 3636 ecfPJqv.exe cmd.exe PID 3636 wrote to memory of 3244 3636 ecfPJqv.exe cmd.exe PID 3616 wrote to memory of 2644 3616 cmd.exe vssadmin.exe PID 3616 wrote to memory of 2644 3616 cmd.exe vssadmin.exe PID 3244 wrote to memory of 3828 3244 cmd.exe PING.EXE PID 3244 wrote to memory of 3828 3244 cmd.exe PING.EXE PID 3616 wrote to memory of 3716 3616 cmd.exe bcdedit.exe PID 3616 wrote to memory of 3716 3616 cmd.exe bcdedit.exe PID 3616 wrote to memory of 3200 3616 cmd.exe bcdedit.exe PID 3616 wrote to memory of 3200 3616 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 -w 5000 10.10.254.2543⤵
- Runs ping.exe
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_7639322.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batMD5
d7e130066bfb1bdeed398db9e46ed158
SHA1284944a9518de2bd875d67c1b7cd9230ac5f090c
SHA25654937b7b28a10c0826e67d5caa2e5f99a003c8d39b133a85c712d9f2c29b58d8
SHA5125e532fc09403dc4df423f4554b61b4688ca37fbcfac15b74c50904a9fabde7b59ce1f0b521ebf55d2c09e5d901d355a1e16641304220861ecf807ccaf8b0468b
-
C:\Users\Admin\AppData\Roaming\delback.batMD5
2450c91afcc2d4cc3dea374820bed314
SHA1dd1b61d0aa6d1769018c1d3144de9bb960a64d3c
SHA2564f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df
SHA512b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91
-
C:\Users\Admin\Desktop\README_7639322.txtMD5
035fd3c76cf48c384688fef958f4b35d
SHA1c1a32d5229dba9d7be240b3b11641102f122a467
SHA2569937a07de5507fcf1789f11d7ead370c2dfd7a80c0cb2a786a9fd8ea3af7723b
SHA512d6b6ed2f50f7941ae4b85cf280731880ab2ae6545b755e6c53f39a41f24b4f08ecf9129ca0e11836d12d52acdef0505897d785b84e7699c3a947159da3a98461
-
C:\Users\All Users\USOShared\Logs\User\NotifyIcon.7e7e6638-492c-4946-8981-d9c0872e8251.1.etlMD5
1828f210c0f4df1b61a6004e5a705bcd
SHA178deb67b99ee9a5b7b716fe0f03712c3c78cf208
SHA25687900a52483224d0e542c8748b24f52f17155357d49cba202f8c946ca520bddc
SHA5122f9da7cce6f5ff6cd943f38af78c3928e3ba7a7a5082ef1dbaeadd3203097ef1de6c43e9eb12d83a6e1a3a7106584a788094bbc31c87f8fa26b06111f0f92e60
-
memory/3636-133-0x00007FFAB0E63000-0x00007FFAB0E65000-memory.dmpFilesize
8KB
-
memory/3636-134-0x00000000002A0000-0x00000000002B4000-memory.dmpFilesize
80KB
-
memory/3636-135-0x000000001BBC0000-0x000000001BBC2000-memory.dmpFilesize
8KB