cerber | 48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

Analysis

max time kernel
1595s
max time network
1615s
platform
windows7_x64
resource
win7-20220331-en
submitted
07-04-2022 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Size

392KB
MD5

6653ef20d2a3a6ef656d9c886ebabd93
SHA1

bb0cc0b05bb70a3d347faa94fb36a35c771b0692
SHA256

48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
SHA512

b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Score

10^/10

cerber gozi_rm3 banker discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C</a></li> <li><a href="http://cerberhhyed5frqa.slr849.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.slr849.win/9A14-E96E-E65C-0291-953C</a></li> <li><a href="http://cerberhhyed5frqa.ret5kr.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.ret5kr.win/9A14-E96E-E65C-0291-953C</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.zgf48j.win/9A14-E96E-E65C-0291-953C</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.xltnet.win/9A14-E96E-E65C-0291-953C</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C" target="_blank">http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/9A14-E96E-E65C-0291-953C in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C | | 2. http://cerberhhyed5frqa.slr849.win/9A14-E96E-E65C-0291-953C | | 3. http://cerberhhyed5frqa.ret5kr.win/9A14-E96E-E65C-0291-953C | | 4. http://cerberhhyed5frqa.zgf48j.win/9A14-E96E-E65C-0291-953C | | 5. http://cerberhhyed5frqa.xltnet.win/9A14-E96E-E65C-0291-953C |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/9A14-E96E-E65C-0291-953C | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.slr849.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.ret5kr.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.zgf48j.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.xltnet.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.onion/9A14-E96E-E65C-0291-953C

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note

C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C http://cerberhhyed5frqa.slr849.win/9A14-E96E-E65C-0291-953C http://cerberhhyed5frqa.ret5kr.win/9A14-E96E-E65C-0291-953C http://cerberhhyed5frqa.zgf48j.win/9A14-E96E-E65C-0291-953C http://cerberhhyed5frqa.xltnet.win/9A14-E96E-E65C-0291-953C What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/9A14-E96E-E65C-0291-953C in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xlfp45.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.slr849.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.ret5kr.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.zgf48j.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.xltnet.win/9A14-E96E-E65C-0291-953C

http://cerberhhyed5frqa.onion/9A14-E96E-E65C-0291-953C

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1548	bcdedit.exe
1540	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	TapiUnattend.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	TapiUnattend.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompressSplit.tiff	TapiUnattend.exe
File opened for modification	C:\Users\Admin\Pictures\LimitConvert.tiff	TapiUnattend.exe
File opened for modification	C:\Users\Admin\Pictures\TestOpen.tiff	TapiUnattend.exe
File opened for modification	C:\Users\Admin\Pictures\GetInitialize.tiff	TapiUnattend.exe

Deletes itself 1 IoCs

pid	Process
2016	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TapiUnattend.lnk	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TapiUnattend.lnk	TapiUnattend.exe

Loads dropped DLL 3 IoCs

pid	Process
484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
2032	TapiUnattend.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run	TapiUnattend.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	TapiUnattend.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	TapiUnattend.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	TapiUnattend.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\TapiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TapiUnattend.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
10	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4DB4.bmp"	TapiUnattend.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2020	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
652	taskkill.exe
1160	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\Desktop	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\Desktop	TapiUnattend.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\\TapiUnattend.exe\""	TapiUnattend.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c00000000020000000000106600000001000020000000e0ac2f703af20d0f70bbc35276f247777c507e7fa245f0e0674880696022a389000000000e80000000020000200000009cc38aac761e03dcb4a20a31d339d6f2e5ce9051f79596606988724cc0598d7d90000000c4959ce8ddea3efc330b3a39483cf3ab03fbb238803ab446fbdf8500413f63eb4afa451c4181108f2e4357955141c8ab809d818d80bb7b53393ca894295767f54667d155280971a7b4506c1782333b3651e6aa797edf573745f4aa44798617b0daa46fe1c23547f97b0690625946f12773e08474981ad49aaad9536d69bcc0aab4c4aac10ff7a46e4e6bd1bcf9583411400000003e6787e6a11b65894745d5250e136af5335effae68d11388fbd40df24a1fd64bebba511caea8caf794f3afa9b3e6c2d6b96595800bb59e0469c27bc3044e7ad0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c0000000002000000000010660000000100002000000014cab1acdfd7e3294d0a9e04abf3ad7dd111c54d7e0ab573d52dfca4a315567f000000000e80000000020000200000000d86487a63518ea17ecc188c1252897e98701fdf6115b87dd208b5b133fd5cfd200000002488d27d76b14ca5192b2a9453c961ad9dde8f3e684c08742f3ffcd569102dea40000000b3f5795456d602dfbed24af76c0ba3d27053c6d4b1772f689de1cb0fe56bec1f9e057415e0dde9ecb091d60b795a98f18a8597cc6d9e509c393209dacfe52ab9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356132141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{420B93B1-B6BA-11EC-A035-EE0379424478} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205d9808c74ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE
1524	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe
2032	TapiUnattend.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1976	iexplore.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Token: SeDebugPrivilege	2032	TapiUnattend.exe
Token: SeBackupPrivilege	668	vssvc.exe
Token: SeRestorePrivilege	668	vssvc.exe
Token: SeAuditPrivilege	668	vssvc.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeIncreaseQuotaPrivilege	564	wmic.exe
Token: SeSecurityPrivilege	564	wmic.exe
Token: SeTakeOwnershipPrivilege	564	wmic.exe
Token: SeLoadDriverPrivilege	564	wmic.exe
Token: SeSystemProfilePrivilege	564	wmic.exe
Token: SeSystemtimePrivilege	564	wmic.exe
Token: SeProfSingleProcessPrivilege	564	wmic.exe
Token: SeIncBasePriorityPrivilege	564	wmic.exe
Token: SeCreatePagefilePrivilege	564	wmic.exe
Token: SeBackupPrivilege	564	wmic.exe
Token: SeRestorePrivilege	564	wmic.exe
Token: SeShutdownPrivilege	564	wmic.exe
Token: SeDebugPrivilege	564	wmic.exe
Token: SeSystemEnvironmentPrivilege	564	wmic.exe
Token: SeRemoteShutdownPrivilege	564	wmic.exe
Token: SeUndockPrivilege	564	wmic.exe
Token: SeManageVolumePrivilege	564	wmic.exe
Token: 33	564	wmic.exe
Token: 34	564	wmic.exe
Token: 35	564	wmic.exe
Token: SeIncreaseQuotaPrivilege	564	wmic.exe
Token: SeSecurityPrivilege	564	wmic.exe
Token: SeTakeOwnershipPrivilege	564	wmic.exe
Token: SeLoadDriverPrivilege	564	wmic.exe
Token: SeSystemProfilePrivilege	564	wmic.exe
Token: SeSystemtimePrivilege	564	wmic.exe
Token: SeProfSingleProcessPrivilege	564	wmic.exe
Token: SeIncBasePriorityPrivilege	564	wmic.exe
Token: SeCreatePagefilePrivilege	564	wmic.exe
Token: SeBackupPrivilege	564	wmic.exe
Token: SeRestorePrivilege	564	wmic.exe
Token: SeShutdownPrivilege	564	wmic.exe
Token: SeDebugPrivilege	564	wmic.exe
Token: SeSystemEnvironmentPrivilege	564	wmic.exe
Token: SeRemoteShutdownPrivilege	564	wmic.exe
Token: SeUndockPrivilege	564	wmic.exe
Token: SeManageVolumePrivilege	564	wmic.exe
Token: 33	564	wmic.exe
Token: 34	564	wmic.exe
Token: 35	564	wmic.exe
Token: 33	1616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1616	AUDIODG.EXE
Token: 33	1616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1616	AUDIODG.EXE
Token: SeDebugPrivilege	1160	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1976	iexplore.exe
1976	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1976	iexplore.exe
1976	iexplore.exe
1976	iexplore.exe
1976	iexplore.exe
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
2032	TapiUnattend.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2032	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 484 wrote to memory of 2032	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 484 wrote to memory of 2032	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 484 wrote to memory of 2032	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	28
PID 2032 wrote to memory of 2020	2032	TapiUnattend.exe	30
PID 2032 wrote to memory of 2020	2032	TapiUnattend.exe	30
PID 2032 wrote to memory of 2020	2032	TapiUnattend.exe	30
PID 2032 wrote to memory of 2020	2032	TapiUnattend.exe	30
PID 484 wrote to memory of 2016	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 484 wrote to memory of 2016	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 484 wrote to memory of 2016	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 484 wrote to memory of 2016	484	VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe	29
PID 2016 wrote to memory of 652	2016	cmd.exe	34
PID 2016 wrote to memory of 652	2016	cmd.exe	34
PID 2016 wrote to memory of 652	2016	cmd.exe	34
PID 2016 wrote to memory of 652	2016	cmd.exe	34
PID 2016 wrote to memory of 1924	2016	cmd.exe	37
PID 2016 wrote to memory of 1924	2016	cmd.exe	37
PID 2016 wrote to memory of 1924	2016	cmd.exe	37
PID 2016 wrote to memory of 1924	2016	cmd.exe	37
PID 2032 wrote to memory of 564	2032	TapiUnattend.exe	38
PID 2032 wrote to memory of 564	2032	TapiUnattend.exe	38
PID 2032 wrote to memory of 564	2032	TapiUnattend.exe	38
PID 2032 wrote to memory of 564	2032	TapiUnattend.exe	38
PID 2032 wrote to memory of 1548	2032	TapiUnattend.exe	40
PID 2032 wrote to memory of 1548	2032	TapiUnattend.exe	40
PID 2032 wrote to memory of 1548	2032	TapiUnattend.exe	40
PID 2032 wrote to memory of 1548	2032	TapiUnattend.exe	40
PID 2032 wrote to memory of 1540	2032	TapiUnattend.exe	42
PID 2032 wrote to memory of 1540	2032	TapiUnattend.exe	42
PID 2032 wrote to memory of 1540	2032	TapiUnattend.exe	42
PID 2032 wrote to memory of 1540	2032	TapiUnattend.exe	42
PID 2032 wrote to memory of 1976	2032	TapiUnattend.exe	46
PID 2032 wrote to memory of 1976	2032	TapiUnattend.exe	46
PID 2032 wrote to memory of 1976	2032	TapiUnattend.exe	46
PID 2032 wrote to memory of 1976	2032	TapiUnattend.exe	46
PID 2032 wrote to memory of 1984	2032	TapiUnattend.exe	47
PID 2032 wrote to memory of 1984	2032	TapiUnattend.exe	47
PID 2032 wrote to memory of 1984	2032	TapiUnattend.exe	47
PID 2032 wrote to memory of 1984	2032	TapiUnattend.exe	47
PID 1976 wrote to memory of 928	1976	iexplore.exe	48
PID 1976 wrote to memory of 928	1976	iexplore.exe	48
PID 1976 wrote to memory of 928	1976	iexplore.exe	48
PID 1976 wrote to memory of 928	1976	iexplore.exe	48
PID 2032 wrote to memory of 1064	2032	TapiUnattend.exe	50
PID 2032 wrote to memory of 1064	2032	TapiUnattend.exe	50
PID 2032 wrote to memory of 1064	2032	TapiUnattend.exe	50
PID 2032 wrote to memory of 1064	2032	TapiUnattend.exe	50
PID 2032 wrote to memory of 1972	2032	TapiUnattend.exe	54
PID 2032 wrote to memory of 1972	2032	TapiUnattend.exe	54
PID 2032 wrote to memory of 1972	2032	TapiUnattend.exe	54
PID 2032 wrote to memory of 1972	2032	TapiUnattend.exe	54
PID 1972 wrote to memory of 1160	1972	cmd.exe	56
PID 1972 wrote to memory of 1160	1972	cmd.exe	56
PID 1972 wrote to memory of 1160	1972	cmd.exe	56
PID 1972 wrote to memory of 1524	1972	cmd.exe	58
PID 1972 wrote to memory of 1524	1972	cmd.exe	58
PID 1972 wrote to memory of 1524	1972	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe
  "C:\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2020
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1548
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1540
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:928
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1984
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1064
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "TapiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "TapiUnattend.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1160
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1524
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x54c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XM18KV7Z.txt

Filesize
599B

MD5
27fc5adcfa7c9052606fa527ef479ffc

SHA1
99e4c60e38292a92f90b6446247088e782fc4912

SHA256
32d0f0927ff159288df9853614f45a387e5c2b786301992192afa0f4b3c21f44

SHA512
f89a1fe9a9dfb800496d4287eb0eb32193f19fe247afd242da80da3613eb5cef7f615545a831a6f501a1d0ff416661ff6a13463ba7d5a8af0dcb0f56d4c2a055

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TapiUnattend.lnk

Filesize
1KB

MD5
b37a3266954753b5389b166259209523

SHA1
3cde81764acdfa3107242c2cdfb70d44eb52c021

SHA256
f9a883b9ffa4b6faecb49178a831f9672b8b9fe092d7e8fe0ee3e1632060914c

SHA512
11b8a1289dc400e938b5b36c1e6363f946ee84a666b79f36414253096c11694d9d16fcd3e339217eccb19bc2abf12fbb8dfbd3387a72dab1e415031de3a72312

Download Submit
C:\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe

Filesize
392KB

MD5
6653ef20d2a3a6ef656d9c886ebabd93

SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692

SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Download Submit
C:\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe

Filesize
392KB

MD5
6653ef20d2a3a6ef656d9c886ebabd93

SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692

SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
7b01b6fcdf95401fe7fc59087c70c605

SHA1
c17f2b9834d4c212bc7ad96be569bc3359c7b034

SHA256
bb9c178e53ff9fd9bff1013bdd16b10c6256adfa9a16ce820e1344c32a89c724

SHA512
06a8fc3af2220078fe717f6ef9e7d928c7e3474b87a731f2b0d014c561026c79141a7c8c77d295c212165028bd1737549ef611747b32fb0d4d571494f9558a68

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
b0a42205c75c911f1b22e7bd0b9f7423

SHA1
e8f7bb07416736f913e28b67edbbcb246d28a633

SHA256
8a074b217ab7507cf42284841485634973adf48ec95806c61ec6ecf883db25f2

SHA512
2b83b54ead89c08c068e8d96849c3314b6eec73f372d3f07ce983ca907589f8f9fe49dd059954a6887c0de10ce0ea4dfc3d8cdf0c4d814720a8410c5ac98fe60

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url

Filesize
85B

MD5
547ed6bb5997654bc5714c712d600b1c

SHA1
5332b7cf3055430bfb5db9c5794d40906557de5d

SHA256
3fd7e8afaa07f60b2fd34cd5de74faba2feb69d78db312288cda4e4f97654ac2

SHA512
ad723cfc9c07c049f576f887193a31354efa3825e315df1954ba6beed89078020f82688918453d91fa128f87c2ea1d35b58e237fcb87cec6b4714bec07308d34

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe

Filesize
392KB

MD5
6653ef20d2a3a6ef656d9c886ebabd93

SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692

SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Download Submit
\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe

Filesize
392KB

MD5
6653ef20d2a3a6ef656d9c886ebabd93

SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692

SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Download Submit
\Users\Admin\AppData\Roaming\{5423AF23-C6AC-B83E-DFA5-6E6A6DB39C86}\TapiUnattend.exe

Filesize
392KB

MD5
6653ef20d2a3a6ef656d9c886ebabd93

SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692

SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d

SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360

Download Submit
memory/484-56-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/484-55-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/484-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1984-74-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/2032-64-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download