targetcompany | 53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62

Resubmissions

15/02/2022, 03:50

220215-ed4qhsafe5 10

15/02/2022, 02:39

220215-c5e55acbcm 10

Analysis

max time kernel
186s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
15/02/2022, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
Size

129KB
MD5

ed2fd6050340ecc464621137c7add3ad
SHA1

07adc67a3c72e76127ced9c0d72cea32b40d5c55
SHA256

53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62
SHA512

b8aff1b7953baf328f3b076afe81318c940925d71bbfec70987b5c9cc660baba747166506e453b88aa8212a887229cfa4e01c85d157d0b1a051c8e3ad0813e44

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\How to decrypt files.txt

Family

targetcompany

Ransom Note

Your personal identifier: CAR8FNNCXM All files on Carone and Company Inc network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition to encryption, we downloaded 700 gb of data from your network, which, if we do not negotiate, could fall into the hands of third parties and cause damage to your reputation. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://jnjorcburoayrwfrmnq3czngju76wdjyuyufqaep6joutvidohuh24ad.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �

URLs

http://jnjorcburoayrwfrmnq3czngju76wdjyuyufqaep6joutvidohuh24ad.onion/contact

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2844 created 788	2844	WerFault.exe	90

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2896	bcdedit.exe
2428	bcdedit.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EditRepair.tiff	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\EditRepair.tiff => C:\Users\Admin\Pictures\EditRepair.tiff.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\InstallReset.raw => C:\Users\Admin\Pictures\InstallReset.raw.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\ConvertLock.png => C:\Users\Admin\Pictures\ConvertLock.png.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\AssertRemove.tif => C:\Users\Admin\Pictures\AssertRemove.tif.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\RestartInitialize.tif => C:\Users\Admin\Pictures\RestartInitialize.tif.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\UpdateWrite.raw => C:\Users\Admin\Pictures\UpdateWrite.raw.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\ResolveConfirm.raw => C:\Users\Admin\Pictures\ResolveConfirm.raw.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File renamed	C:\Users\Admin\Pictures\RestartUpdate.png => C:\Users\Admin\Pictures\RestartUpdate.png.carone	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\A:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\F:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\G:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\H:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\L:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\M:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\P:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\W:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\R:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\U:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\V:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\B:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\N:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\O:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\Y:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\Z:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\E:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\I:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\J:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\K:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\Q:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\S:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened (read-only)	\??\X:	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\Microsoft Office\root\vfs\SystemX86\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell.png	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\zh-CN.pak.DATA	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pa.pak.DATA	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\Microsoft Office 15\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xsl	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gl.pak.DATA	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-focus_32.svg	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\How to decrypt files.txt	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
272	788	WerFault.exe	90

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3820	vssadmin.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4344"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.053891"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895427936707733"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013155"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.222203"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
272	WerFault.exe
272	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
Token: SeDebugPrivilege	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
Token: SeBackupPrivilege	840	vssvc.exe
Token: SeRestorePrivilege	840	vssvc.exe
Token: SeAuditPrivilege	840	vssvc.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe
Token: SeSecurityPrivilege	1760	TiWorker.exe
Token: SeBackupPrivilege	1760	TiWorker.exe
Token: SeRestorePrivilege	1760	TiWorker.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3820	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe	64
PID 2220 wrote to memory of 3820	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe	64
PID 2220 wrote to memory of 1556	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe	66
PID 2220 wrote to memory of 1556	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe	66
PID 2220 wrote to memory of 3316	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe	68
PID 2220 wrote to memory of 3316	2220	53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe	68
PID 3316 wrote to memory of 2428	3316	cmd.exe	72
PID 3316 wrote to memory of 2428	3316	cmd.exe	72
PID 1556 wrote to memory of 2896	1556	cmd.exe	71
PID 1556 wrote to memory of 2896	1556	cmd.exe	71
PID 2844 wrote to memory of 788	2844	WerFault.exe	90
PID 2844 wrote to memory of 788	2844	WerFault.exe	90

C:\Users\Admin\AppData\Local\Temp\53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe
"C:\Users\Admin\AppData\Local\Temp\53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3820
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2896
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4016

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 788 -s 780
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 196 -p 788 -ip 788
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How to decrypt files.txt
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads