cerber | aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

Analysis

max time kernel
655s
max time network
1565s
platform
windows7_x64
resource
win7-20220311-en
submitted
07-04-2022 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Size

382KB
MD5

41dd108ada487cb93a6e099e074f605b
SHA1

354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256

aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA512

33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Score

10^/10

cerber gozi_rm3 banker discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB</a></li> <li><a href="http://4kqd3hmqgptupi3p.we34re.top/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.we34re.top/6405-1A00-EAB2-0078-18EB</a></li> <li><a href="http://4kqd3hmqgptupi3p.5kti58.top/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.5kti58.top/6405-1A00-EAB2-0078-18EB</a></li> <li><a href="http://4kqd3hmqgptupi3p.vmckfi.top/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.vmckfi.top/6405-1A00-EAB2-0078-18EB</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.onion.to/6405-1A00-EAB2-0078-18EB</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://4kqd3hmqgptupi3p.onion/6405-1A00-EAB2-0078-18EB in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB | | 2. http://4kqd3hmqgptupi3p.we34re.top/6405-1A00-EAB2-0078-18EB | | 3. http://4kqd3hmqgptupi3p.5kti58.top/6405-1A00-EAB2-0078-18EB | | 4. http://4kqd3hmqgptupi3p.vmckfi.top/6405-1A00-EAB2-0078-18EB | | 5. http://4kqd3hmqgptupi3p.onion.to/6405-1A00-EAB2-0078-18EB |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/6405-1A00-EAB2-0078-18EB | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.we34re.top/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.5kti58.top/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.vmckfi.top/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.onion.to/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.onion/6405-1A00-EAB2-0078-18EB

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note

C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB http://4kqd3hmqgptupi3p.we34re.top/6405-1A00-EAB2-0078-18EB http://4kqd3hmqgptupi3p.5kti58.top/6405-1A00-EAB2-0078-18EB http://4kqd3hmqgptupi3p.vmckfi.top/6405-1A00-EAB2-0078-18EB http://4kqd3hmqgptupi3p.onion.to/6405-1A00-EAB2-0078-18EB What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://4kqd3hmqgptupi3p.onion/6405-1A00-EAB2-0078-18EB in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://4kqd3hmqgptupi3p.wins4n.win/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.we34re.top/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.5kti58.top/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.vmckfi.top/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.onion.to/6405-1A00-EAB2-0078-18EB

http://4kqd3hmqgptupi3p.onion/6405-1A00-EAB2-0078-18EB

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	wuapp.exe

Executes dropped EXE 3 IoCs

pid	Process
1920	wuapp.exe
1600	wuapp.exe
1928	wuapp.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertLock.tiff	wuapp.exe

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk	wuapp.exe

Loads dropped DLL 2 IoCs

pid	Process
628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
1920	wuapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuapp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	wuapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	wuapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wuapp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	wuapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuapp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wuapp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run	wuapp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wuapp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3543.bmp"	wuapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1956	taskkill.exe
2260	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop	wuapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\\wuapp.exe\""	wuapp.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000076bc52b621bc243d8048c60128c95c9f1cd15d1ea6bdca641b26383f1b993034000000000e8000000002000020000000b3f6def34cba8416015edc735928710f7748d6f7c6d0507b9a37ebdc41055b5e90000000886426e8655ac53eab7ae7aa699cc9deb89942a87449f3d29c9c6f7f1f37f064d5eba9e6af3b07c29bb22c0eabcefb4a3a9153135ee0ff7edc0d8a5b9f746a5c7794d0f5db1e95d9cff201ba5c14a2484563b7402dbfee49a7b6c5d703fbfd0e08fe470cecddef44ec237974dd46d124eb64bb5cc6dfb8263fd85c70f823e0bea06dbc95b27d3b6f9cc23078aee1ae0240000000dd0b5ba242ae311f5f3526c688752e31b3196e92d0b68af2d5bc715078f0f6982da9c1d3fc03e8ae870cb07fb6356769bb87fdf7f1a89ca94eaacbe5734c8921	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000867a918786e72d74d655813d8fea8f46fb69cc362a8adca58eaf83023069f1cd000000000e80000000020000200000001ca9d0e4f23240164d5d3c9afb5d1fdd75d75d0bc55349b36f9511db8310a69620000000d799ee0e1488edd19b4c9f8f2dc8d1f25630a1ef742644cc9c1d5f550f94aa3940000000831ea102075d9dbabaaed8046cbe2122a7014f191dbbdf5ef02a034abb7ee0b5bb84f1996e1f71a9fdb0ff529ad99dad0c12af08def50fc9ef5a9df155a09be2	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06A508D1-B6A9-11EC-9547-6600847C1211} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356124736"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207ec7c9b54ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06DE29D1-B6A9-11EC-9547-6600847C1211} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1664	PING.EXE
2336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe
1920	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1164	iexplore.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1920	wuapp.exe
Token: SeDebugPrivilege	1600	wuapp.exe
Token: SeDebugPrivilege	1928	wuapp.exe
Token: 33	852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	852	AUDIODG.EXE
Token: 33	852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	852	AUDIODG.EXE
Token: SeDebugPrivilege	2260	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1164	iexplore.exe
1164	iexplore.exe
1976	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1164	iexplore.exe
1164	iexplore.exe
1164	iexplore.exe
1164	iexplore.exe
1976	iexplore.exe
1976	iexplore.exe
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe
1920	wuapp.exe
1600	wuapp.exe
1928	wuapp.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1920	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	27
PID 628 wrote to memory of 1920	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	27
PID 628 wrote to memory of 1920	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	27
PID 628 wrote to memory of 1920	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	27
PID 628 wrote to memory of 1996	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	28
PID 628 wrote to memory of 1996	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	28
PID 628 wrote to memory of 1996	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	28
PID 628 wrote to memory of 1996	628	VirusShare_41dd108ada487cb93a6e099e074f605b.exe	28
PID 1996 wrote to memory of 1956	1996	cmd.exe	30
PID 1996 wrote to memory of 1956	1996	cmd.exe	30
PID 1996 wrote to memory of 1956	1996	cmd.exe	30
PID 1996 wrote to memory of 1956	1996	cmd.exe	30
PID 1996 wrote to memory of 1664	1996	cmd.exe	32
PID 1996 wrote to memory of 1664	1996	cmd.exe	32
PID 1996 wrote to memory of 1664	1996	cmd.exe	32
PID 1996 wrote to memory of 1664	1996	cmd.exe	32
PID 1724 wrote to memory of 1600	1724	taskeng.exe	39
PID 1724 wrote to memory of 1600	1724	taskeng.exe	39
PID 1724 wrote to memory of 1600	1724	taskeng.exe	39
PID 1724 wrote to memory of 1600	1724	taskeng.exe	39
PID 1724 wrote to memory of 1928	1724	taskeng.exe	40
PID 1724 wrote to memory of 1928	1724	taskeng.exe	40
PID 1724 wrote to memory of 1928	1724	taskeng.exe	40
PID 1724 wrote to memory of 1928	1724	taskeng.exe	40
PID 1920 wrote to memory of 1164	1920	wuapp.exe	41
PID 1920 wrote to memory of 1164	1920	wuapp.exe	41
PID 1920 wrote to memory of 1164	1920	wuapp.exe	41
PID 1920 wrote to memory of 1164	1920	wuapp.exe	41
PID 1920 wrote to memory of 1664	1920	wuapp.exe	42
PID 1920 wrote to memory of 1664	1920	wuapp.exe	42
PID 1920 wrote to memory of 1664	1920	wuapp.exe	42
PID 1920 wrote to memory of 1664	1920	wuapp.exe	42
PID 1164 wrote to memory of 1136	1164	iexplore.exe	43
PID 1164 wrote to memory of 1136	1164	iexplore.exe	43
PID 1164 wrote to memory of 1136	1164	iexplore.exe	43
PID 1164 wrote to memory of 1136	1164	iexplore.exe	43
PID 1976 wrote to memory of 1508	1976	iexplore.exe	45
PID 1976 wrote to memory of 1508	1976	iexplore.exe	45
PID 1976 wrote to memory of 1508	1976	iexplore.exe	45
PID 1976 wrote to memory of 1508	1976	iexplore.exe	45
PID 1920 wrote to memory of 1072	1920	wuapp.exe	46
PID 1920 wrote to memory of 1072	1920	wuapp.exe	46
PID 1920 wrote to memory of 1072	1920	wuapp.exe	46
PID 1920 wrote to memory of 1072	1920	wuapp.exe	46
PID 1920 wrote to memory of 2224	1920	wuapp.exe	50
PID 1920 wrote to memory of 2224	1920	wuapp.exe	50
PID 1920 wrote to memory of 2224	1920	wuapp.exe	50
PID 1920 wrote to memory of 2224	1920	wuapp.exe	50
PID 2224 wrote to memory of 2260	2224	cmd.exe	52
PID 2224 wrote to memory of 2260	2224	cmd.exe	52
PID 2224 wrote to memory of 2260	2224	cmd.exe	52
PID 2224 wrote to memory of 2336	2224	cmd.exe	54
PID 2224 wrote to memory of 2336	2224	cmd.exe	54
PID 2224 wrote to memory of 2336	2224	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe
  "C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1136
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1072
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "wuapp.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "wuapp.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2336
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_41dd108ada487cb93a6e099e074f605b.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_41dd108ada487cb93a6e099e074f605b.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {3DCFD964-78EC-40F2-AA5B-664882B20300} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe
  C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1600
- C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe
  C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1508

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06A508D1-B6A9-11EC-9547-6600847C1211}.dat

Filesize
5KB

MD5
0054aa4668dfa8e4676dfbac78aaea7a

SHA1
0f78947bd0236e377f8358297eb560dfd4de937c

SHA256
b4bc486332b2022b1d26099c891a1a5b7d19dc6e42fb53e7b04310ce72fd97f0

SHA512
c8cdf25d4b16b29aa62a7f22c87ab588036b90efbb3034786d5db0649708e5bb5bf5cd86519972cb358faa14bb6b79e68e069b707b74c4fed73d59e50fe0626b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\421LL0M9.txt

Filesize
607B

MD5
e62d0143092c2a39d5ac407e661c7456

SHA1
b4b35ab1ae4d6a38c1728cf6930bf7b69326343d

SHA256
510d6779ce73f10b99e9c30049b67e43ab04d37ff07bc88c21eb1a43c4f87616

SHA512
c3387144732533dfa2c7abc0df76a5056d5762faac9db88ebedc0c195d2d3ce31046f43a6aa009e4f52cc22acf6c1791aa900d6576da6ab03695bc77294480e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk

Filesize
1KB

MD5
a886425974809763af6ac18ab133fca5

SHA1
7ef9fa762d575bcb16329ea7f5543431cd08fbc4

SHA256
dc94685d7d4d0600b418319e6390dec05dae3427288c6c6e9d9586578a1cb806

SHA512
e9bde327b3a78bcd6330b085f62069651263195c05ca3ab695e9fcdf696fa3af34ea26f0eff66e2f110f8108b1cafb11a8dedf55db6aaba6544eafe36a705d20

Download Submit
C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe

Filesize
382KB

MD5
41dd108ada487cb93a6e099e074f605b

SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Download Submit
C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe

Filesize
382KB

MD5
41dd108ada487cb93a6e099e074f605b

SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Download Submit
C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe

Filesize
382KB

MD5
41dd108ada487cb93a6e099e074f605b

SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Download Submit
C:\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe

Filesize
382KB

MD5
41dd108ada487cb93a6e099e074f605b

SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
c247714dc1a8af7c5f4c8660f25070b2

SHA1
0201696cf2f83797b78c388e58c5e87578699faa

SHA256
2c60114480bf35e9bd85ebd842cd29d0e62a9d5346ec85cb0eb2f8720b4a5a4e

SHA512
1876f4d78dc7d5b949dfa5bf9ed2643abee03003ef3b4daaf239812fbeade10aaff7b9bcb46cccd8d1f695b3244795bd8fbb95145f155e498faf51ded64b7ea6

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
c7afff11dc53b96e79e0837c60a89c49

SHA1
0bc6e1b84afa6466b4bd045af4c3617f2b4ebe6a

SHA256
acab97c20d0a665665d4405ee1f0e07362464966c421a482febc78a0bbda2b4d

SHA512
dd754f20443331e0c0a2f9bd2cb173880187c819be6162a073012c0334641107aff6bce54092a1893df7ed6684923809f52f2d658770608d583c1e8e9564f486

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url

Filesize
85B

MD5
6f48fe8ea594602aaeca4c0e977acd8a

SHA1
648d18be89cb5a623bdfeda8ea50b4a05261dd42

SHA256
f00f258ab6dbb32471a8a95c1063027457395f2ea6867d259c057264b50fd6a1

SHA512
72e65de5e17e3808ae93d0a5f19cfa4ce98df815c91c5bbe5c368ff5fe02512ddffdd0e7cab975fa1d0de8d9a392076a05f292eb53a1da705cda0d886d952af7

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

Filesize
231B

MD5
9d8c4bfbd009c4d6001e2125abaa8b02

SHA1
cd040558172b5fca5b200447a281843956243741

SHA256
a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

SHA512
c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

Download Submit
\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe

Filesize
382KB

MD5
41dd108ada487cb93a6e099e074f605b

SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Download Submit
\Users\Admin\AppData\Roaming\{CAB49217-40F8-DD7D-5ABA-7FBE8D716652}\wuapp.exe

Filesize
382KB

MD5
41dd108ada487cb93a6e099e074f605b

SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf

SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3

SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b

Download Submit
memory/628-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/628-55-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/628-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1600-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1664-77-0x000007FEFBE01000-0x000007FEFBE03000-memory.dmp

Filesize
8KB

Download
memory/1920-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1928-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download