cerber | db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

Analysis

max time kernel
1604s
max time network
1607s
platform
windows7_x64
resource
win7-20220331-en
submitted
07-04-2022 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_270b70bad151a515136f553e5bc880ac.exe
Size

344KB
MD5

270b70bad151a515136f553e5bc880ac
SHA1

77b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256

db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512

c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Score

10^/10

cerber gozi_rm3 banker discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.45tori.win/B439-D36B-E02F-0073-1CDC</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.fkr84i.win/B439-D36B-E02F-0073-1CDC</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.fkri48.win/B439-D36B-E02F-0073-1CDC</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.djre89.win/B439-D36B-E02F-0073-1CDC</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/B439-D36B-E02F-0073-1CDC in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC | | 2. http://cerberhhyed5frqa.45tori.win/B439-D36B-E02F-0073-1CDC | | 3. http://cerberhhyed5frqa.fkr84i.win/B439-D36B-E02F-0073-1CDC | | 4. http://cerberhhyed5frqa.fkri48.win/B439-D36B-E02F-0073-1CDC | | 5. http://cerberhhyed5frqa.djre89.win/B439-D36B-E02F-0073-1CDC |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/B439-D36B-E02F-0073-1CDC | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.45tori.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.fkr84i.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.fkri48.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.djre89.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.onion/B439-D36B-E02F-0073-1CDC

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note

C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC http://cerberhhyed5frqa.45tori.win/B439-D36B-E02F-0073-1CDC http://cerberhhyed5frqa.fkr84i.win/B439-D36B-E02F-0073-1CDC http://cerberhhyed5frqa.fkri48.win/B439-D36B-E02F-0073-1CDC http://cerberhhyed5frqa.djre89.win/B439-D36B-E02F-0073-1CDC What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/B439-D36B-E02F-0073-1CDC in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.vmfu48.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.45tori.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.fkr84i.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.fkri48.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.djre89.win/B439-D36B-E02F-0073-1CDC

http://cerberhhyed5frqa.onion/B439-D36B-E02F-0073-1CDC

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
268	bcdedit.exe
112	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	mfpmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1972	mfpmp.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mfpmp.lnk	VirusShare_270b70bad151a515136f553e5bc880ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mfpmp.lnk	mfpmp.exe

Loads dropped DLL 3 IoCs

pid	Process
1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1972	mfpmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\mfpmp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	mfpmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	mfpmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mfpmp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	mfpmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\mfpmp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mfpmp = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run	mfpmp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA371.bmp"	mfpmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2044	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
576	taskkill.exe
2472	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\Desktop	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\Desktop	mfpmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\\mfpmp.exe\""	mfpmp.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2c0bd9fd0fc1c4d8404f89f10ad210100000000020000000000106600000001000020000000be970b3a2014aa3496afa3310fd221ea9ed5cec89c14d8a0027552a9f1fdbf87000000000e8000000002000020000000b9339cd0b015affc8277b3247b6ee20a7cdaaa67ecdd97a78fed8ffc9f7e91b320000000e6447dd18849fdc62f83452919d0d783670d20b700f973450bd84d7381ceaafd40000000fe227e17cb39c24750454e350b5c92b8c5ab7d0ea8d8fa4d0c8115775c66db2062db23771311a7210f14cd1d80013d622c894c4f7ecca1780f37efae3387374a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356132073"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2c0bd9fd0fc1c4d8404f89f10ad2101000000000200000000001066000000010000200000003bf887140e615af6a23487c0d2650629b68267aacf749c0f91ef3e3d97191367000000000e8000000002000020000000b939ebc42d9a31bb65cbd25aaa775de2886c3ecc5a3eb1e78377573ff40a3e519000000034aad72ad23aa54b0635bfa730004e3d907dea698e394a1decb24c4f873211a215cfd4e9d515d0011e1e726d304827e758c0a19f7f84ecf30e57656962d6331538e7460968a2e7a11aec5df8a0cf099d05b388d4b4bf3b7b91c6e53f8b1c1807961c9dbc3fadb01a16f96cb763a6cad309a2f796912cdb5bd79232ea153d35887a5f9c8ee6d9b628b9f229f16460c65b400000007e072044459b2b8fe62acaa79a880aeed4731176988058a81d111fd2c8d6a72501f6c2be08d065036ca1301ad1b3c77edcfa5122087a688c627b5b9346486724	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d089efdec64ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B1A3F41-B6BA-11EC-BF97-FAC00B121194} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1AF42941-B6BA-11EC-BF97-FAC00B121194} = "0"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1484	PING.EXE
2552	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe
1972	mfpmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
224	iexplore.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Token: SeDebugPrivilege	1972	mfpmp.exe
Token: SeBackupPrivilege	1144	vssvc.exe
Token: SeRestorePrivilege	1144	vssvc.exe
Token: SeAuditPrivilege	1144	vssvc.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1996	wmic.exe
Token: SeSecurityPrivilege	1996	wmic.exe
Token: SeTakeOwnershipPrivilege	1996	wmic.exe
Token: SeLoadDriverPrivilege	1996	wmic.exe
Token: SeSystemProfilePrivilege	1996	wmic.exe
Token: SeSystemtimePrivilege	1996	wmic.exe
Token: SeProfSingleProcessPrivilege	1996	wmic.exe
Token: SeIncBasePriorityPrivilege	1996	wmic.exe
Token: SeCreatePagefilePrivilege	1996	wmic.exe
Token: SeBackupPrivilege	1996	wmic.exe
Token: SeRestorePrivilege	1996	wmic.exe
Token: SeShutdownPrivilege	1996	wmic.exe
Token: SeDebugPrivilege	1996	wmic.exe
Token: SeSystemEnvironmentPrivilege	1996	wmic.exe
Token: SeRemoteShutdownPrivilege	1996	wmic.exe
Token: SeUndockPrivilege	1996	wmic.exe
Token: SeManageVolumePrivilege	1996	wmic.exe
Token: 33	1996	wmic.exe
Token: 34	1996	wmic.exe
Token: 35	1996	wmic.exe
Token: SeIncreaseQuotaPrivilege	1996	wmic.exe
Token: SeSecurityPrivilege	1996	wmic.exe
Token: SeTakeOwnershipPrivilege	1996	wmic.exe
Token: SeLoadDriverPrivilege	1996	wmic.exe
Token: SeSystemProfilePrivilege	1996	wmic.exe
Token: SeSystemtimePrivilege	1996	wmic.exe
Token: SeProfSingleProcessPrivilege	1996	wmic.exe
Token: SeIncBasePriorityPrivilege	1996	wmic.exe
Token: SeCreatePagefilePrivilege	1996	wmic.exe
Token: SeBackupPrivilege	1996	wmic.exe
Token: SeRestorePrivilege	1996	wmic.exe
Token: SeShutdownPrivilege	1996	wmic.exe
Token: SeDebugPrivilege	1996	wmic.exe
Token: SeSystemEnvironmentPrivilege	1996	wmic.exe
Token: SeRemoteShutdownPrivilege	1996	wmic.exe
Token: SeUndockPrivilege	1996	wmic.exe
Token: SeManageVolumePrivilege	1996	wmic.exe
Token: 33	1996	wmic.exe
Token: 34	1996	wmic.exe
Token: 35	1996	wmic.exe
Token: 33	836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	836	AUDIODG.EXE
Token: 33	836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	836	AUDIODG.EXE
Token: SeDebugPrivilege	2472	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
224	iexplore.exe
224	iexplore.exe
1524	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
224	iexplore.exe
224	iexplore.exe
1524	iexplore.exe
1524	iexplore.exe
224	iexplore.exe
224	iexplore.exe
288	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
288	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1972	mfpmp.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1972	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1092 wrote to memory of 1972	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1092 wrote to memory of 1972	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1092 wrote to memory of 1972	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1972 wrote to memory of 2044	1972	mfpmp.exe	30
PID 1972 wrote to memory of 2044	1972	mfpmp.exe	30
PID 1972 wrote to memory of 2044	1972	mfpmp.exe	30
PID 1972 wrote to memory of 2044	1972	mfpmp.exe	30
PID 1092 wrote to memory of 2040	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1092 wrote to memory of 2040	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1092 wrote to memory of 2040	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1092 wrote to memory of 2040	1092	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 2040 wrote to memory of 576	2040	cmd.exe	34
PID 2040 wrote to memory of 576	2040	cmd.exe	34
PID 2040 wrote to memory of 576	2040	cmd.exe	34
PID 2040 wrote to memory of 576	2040	cmd.exe	34
PID 2040 wrote to memory of 1484	2040	cmd.exe	37
PID 2040 wrote to memory of 1484	2040	cmd.exe	37
PID 2040 wrote to memory of 1484	2040	cmd.exe	37
PID 2040 wrote to memory of 1484	2040	cmd.exe	37
PID 1972 wrote to memory of 1996	1972	mfpmp.exe	38
PID 1972 wrote to memory of 1996	1972	mfpmp.exe	38
PID 1972 wrote to memory of 1996	1972	mfpmp.exe	38
PID 1972 wrote to memory of 1996	1972	mfpmp.exe	38
PID 1972 wrote to memory of 268	1972	mfpmp.exe	40
PID 1972 wrote to memory of 268	1972	mfpmp.exe	40
PID 1972 wrote to memory of 268	1972	mfpmp.exe	40
PID 1972 wrote to memory of 268	1972	mfpmp.exe	40
PID 1972 wrote to memory of 112	1972	mfpmp.exe	42
PID 1972 wrote to memory of 112	1972	mfpmp.exe	42
PID 1972 wrote to memory of 112	1972	mfpmp.exe	42
PID 1972 wrote to memory of 112	1972	mfpmp.exe	42
PID 1972 wrote to memory of 224	1972	mfpmp.exe	46
PID 1972 wrote to memory of 224	1972	mfpmp.exe	46
PID 1972 wrote to memory of 224	1972	mfpmp.exe	46
PID 1972 wrote to memory of 224	1972	mfpmp.exe	46
PID 1972 wrote to memory of 1492	1972	mfpmp.exe	47
PID 1972 wrote to memory of 1492	1972	mfpmp.exe	47
PID 1972 wrote to memory of 1492	1972	mfpmp.exe	47
PID 1972 wrote to memory of 1492	1972	mfpmp.exe	47
PID 224 wrote to memory of 1544	224	iexplore.exe	50
PID 224 wrote to memory of 1544	224	iexplore.exe	50
PID 224 wrote to memory of 1544	224	iexplore.exe	50
PID 224 wrote to memory of 1544	224	iexplore.exe	50
PID 1524 wrote to memory of 288	1524	iexplore.exe	51
PID 1524 wrote to memory of 288	1524	iexplore.exe	51
PID 1524 wrote to memory of 288	1524	iexplore.exe	51
PID 1524 wrote to memory of 288	1524	iexplore.exe	51
PID 1972 wrote to memory of 636	1972	mfpmp.exe	52
PID 1972 wrote to memory of 636	1972	mfpmp.exe	52
PID 1972 wrote to memory of 636	1972	mfpmp.exe	52
PID 1972 wrote to memory of 636	1972	mfpmp.exe	52
PID 1972 wrote to memory of 2436	1972	mfpmp.exe	56
PID 1972 wrote to memory of 2436	1972	mfpmp.exe	56
PID 1972 wrote to memory of 2436	1972	mfpmp.exe	56
PID 1972 wrote to memory of 2436	1972	mfpmp.exe	56
PID 2436 wrote to memory of 2472	2436	cmd.exe	58
PID 2436 wrote to memory of 2472	2436	cmd.exe	58
PID 2436 wrote to memory of 2472	2436	cmd.exe	58
PID 2436 wrote to memory of 2552	2436	cmd.exe	60
PID 2436 wrote to memory of 2552	2436	cmd.exe	60
PID 2436 wrote to memory of 2552	2436	cmd.exe	60

C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe
  "C:\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2044
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:268
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:112
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1544
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:636
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "mfpmp.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "mfpmp.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2552
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:288

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1AF42941-B6BA-11EC-BF97-FAC00B121194}.dat

Filesize
5KB

MD5
6ab5d807a24d782832bb6fda06c989cc

SHA1
1b783e904557cf997ea70cad38e3e6a36dbb9b73

SHA256
12e5604943afbcaa8a8c9aec6fe561a0f4f26d0ed37f9d47ae25bb327eef314e

SHA512
cd5508b8565e364a4cf65c7bead95988841f0cd31cd5ba0a33c69ad0e221acccc4257f8644068c393d5fa9eddda38cf8a4e250ac80493f19dd4884481a4d7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B1A3F41-B6BA-11EC-BF97-FAC00B121194}.dat

Filesize
4KB

MD5
f4f9f12fc54ea9493f82d9caaca33fdd

SHA1
9c4f563f129ae74172ce215f39d3c9aaeb1b384c

SHA256
89022477a0d1567d6a1db04382d99bf2dc14a752007d1d467653a2723e03ce6e

SHA512
02614165db00acb14846df6b7608c5605cbd19a439e67eab1afabfba2d19a7932e17769b6bd392edf0bb68d532e180e787d3e621ad144b24ecd2a950b7cca3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NUQM6KQ1.txt

Filesize
598B

MD5
14775ba92b87b0b6fe0c96b4d5aec13f

SHA1
c0dfca6dea46b6ed305f5659db8c256a0da109d8

SHA256
98f3fbf0a58d402f6a08b1194a1f933ca1f9f46dd38c47c505b6fa2f610cabe7

SHA512
bab779e649b34408531fa68f1540829e0cfc308aaf85ff124129f3c341e2cd8cd18df0a798c90635339bc98148459b88933b0769cd5b74a2a95e0104d6950852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mfpmp.lnk

Filesize
1KB

MD5
9cf1f8f7bf32963fded520e0250904f0

SHA1
3121a3b77d5508620c160e71db83ed576340be35

SHA256
6c678e7fc24ff6e71c7a396531430da7f479c76b7b1757fe3d02e9580e1228f9

SHA512
e8d296a9b6ee6aad3d0fa35184871e9e9f8650c9c04a91a6aaccb6255773f64cb63a3d6744705978c6756aa067ded8207976e19f5e8fdc191a1b5a62c283d715

Download Submit
C:\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
C:\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
3dbd8ba2d13356f6ba3c1ddff6c737b7

SHA1
c91206fbf9ed847afd2ca2ea498b89a7f419434e

SHA256
f0500fbbc4f150b2570ca08f04cbd6891987ae90413d993332403fabe2cd38bc

SHA512
812c1cbf70e95fc130e4e7e77146c2b434f813e4d1ba630952c4440f60c30bb7001f6bea67c5208209625c16bbd9c9bb656108ad3b14b9c2c0473bfd1cdf66eb

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
bf88fab3d0de2e8cc6d8dc14e723bb51

SHA1
4b62a88ffa1ba17fbaf2cb865e7a7cdf5b3f55cf

SHA256
92424c93ffdaa6146605adef624be5e03602f2ef680dce1ebb8ca4b2075a72ee

SHA512
3950ba9dc018001bd1f4634497ca26c31f1a664f0a43818b027110ac00c9ecfa911f986623eecf3e805822d4fa91aea5e23fddfc7a29d84bac7daf30ec011e0e

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url

Filesize
85B

MD5
2e1b5397c03ce361b1a57ceb5596af6c

SHA1
a056138d6ab89eeb7376c3c0ae35ca5fa04eedb3

SHA256
f900905baa76641d5261f5aad2f69b85bf64d24c4fbc11868e3eb9745bcc1309

SHA512
a05558a6305b7e2f4dea2d9d243f2bbc590def099b67aa3affadeb54b15d90df9b3f9370c57ad9869f12016cdb4021476e8bbc4bf2b1f8cc55661081d413b23b

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
\Users\Admin\AppData\Roaming\{0C8E1DD8-256A-D016-6310-AD9D516D7123}\mfpmp.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
memory/1092-54-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1092-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1092-64-0x00000000002D0000-0x00000000002EE000-memory.dmp

Filesize
120KB

Download
memory/1492-74-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

Filesize
8KB

Download
memory/1972-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download