cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
649s
max time network
1559s
platform
windows7_x64
resource
win7-20220310-en
submitted
07-04-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Score

10^/10

cerber gozi_rm3 banker discovery evasion persistence ransomware spyware stealer suricata trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.qor499.top/3775-55D3-C348-029E-DE2A</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.gkfit9.win/3775-55D3-C348-029E-DE2A</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.305iot.win/3775-55D3-C348-029E-DE2A</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.dkrti5.win/3775-55D3-C348-029E-DE2A</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A" target="_blank">http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/3775-55D3-C348-029E-DE2A in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A | | 2. http://cerberhhyed5frqa.qor499.top/3775-55D3-C348-029E-DE2A | | 3. http://cerberhhyed5frqa.gkfit9.win/3775-55D3-C348-029E-DE2A | | 4. http://cerberhhyed5frqa.305iot.win/3775-55D3-C348-029E-DE2A | | 5. http://cerberhhyed5frqa.dkrti5.win/3775-55D3-C348-029E-DE2A |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/3775-55D3-C348-029E-DE2A | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.qor499.top/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.gkfit9.win/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.305iot.win/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.dkrti5.win/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.onion/3775-55D3-C348-029E-DE2A

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note

C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A http://cerberhhyed5frqa.qor499.top/3775-55D3-C348-029E-DE2A http://cerberhhyed5frqa.gkfit9.win/3775-55D3-C348-029E-DE2A http://cerberhhyed5frqa.305iot.win/3775-55D3-C348-029E-DE2A http://cerberhhyed5frqa.dkrti5.win/3775-55D3-C348-029E-DE2A What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/3775-55D3-C348-029E-DE2A in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.qor499.top/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.gkfit9.win/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.305iot.win/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.dkrti5.win/3775-55D3-C348-029E-DE2A

http://cerberhhyed5frqa.onion/3775-55D3-C348-029E-DE2A

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (4)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (4)
suricata
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	Magnify.exe

Executes dropped EXE 6 IoCs

pid	Process
1340	Magnify.exe
576	Magnify.exe
2044	Magnify.exe
1820	Magnify.exe
1812	Magnify.exe
992	Magnify.exe

Deletes itself 1 IoCs

pid	Process
1200	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk	Magnify.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Loads dropped DLL 2 IoCs

pid	Process
744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1340	Magnify.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run	Magnify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	Magnify.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Magnify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	Magnify.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA94A.bmp"	Magnify.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1860	taskkill.exe
1604	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\Desktop	Magnify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{733118C5-0E24-B662-40F1-057F1DAF7894}\\Magnify.exe\""	Magnify.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000fbcc62fb4943f15e04aa96334f4f2ff795ee85be087a2fa0cac6177fd3e2688000000000e8000000002000020000000cc74141daf193e30b271ae8ae9097b306ebbc6c77f9f8d88cbfdb14b6e29b5b820000000d82c487a8ffc2727df91fd06d5ea8ca3cddc29ef011dfb4bbbac20f9e3bc05bc40000000ff4e17c08dfef339531458dab65ae2c53bb2ca68dc9eb2ff453482b6f9445696cadfcf6d621a3faa40a7651985b09473cf24a5ccf003019b838c9bdb0cb8c4d9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e66960c74ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000067899b34427fd3e24cf3c3604c169f9d555e44ca2c9a7fe41d7c058e480c45a9000000000e8000000002000020000000c54270cf97ca391f9f1c21c9803419f01a05c1767edfdfc319234e42de5a58bc900000008ba6da32122f91eab920651563aef8f53b9d15f1b026a8f8f3fceeb2e6f486c6b61cac9c5112868f09f8cbc97376d01c89026ff8b8d80f1bd0b46061b56131d9436285995a978379767a494514d31b6ced692aa750ee6c1cdc942d7ecd64823cfc5ea56cffe86881979dac9d0e4c41dff6bd85d72646d342b3680dc026bf427c3a1d0ebf7578be7250a57f7e7dc055b740000000e6613f2c690760968be99e8d0d7b014ab83f66b623995ac6b02a865ae0932281acf675628dad3e4bde40c936d52207bc087be6717b96f1d3431cd76e68cec4aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99106EB1-B6BA-11EC-9158-EA5C3F5CE8CA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{989245D1-B6BA-11EC-9158-EA5C3F5CE8CA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356132284"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1348	PING.EXE
1964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe
1340	Magnify.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	1340	Magnify.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	576	Magnify.exe
Token: SeDebugPrivilege	2044	Magnify.exe
Token: SeDebugPrivilege	1820	Magnify.exe
Token: SeDebugPrivilege	1812	Magnify.exe
Token: SeDebugPrivilege	992	Magnify.exe
Token: 33	340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	340	AUDIODG.EXE
Token: 33	340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	340	AUDIODG.EXE
Token: SeDebugPrivilege	1604	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1580	iexplore.exe
1988	iexplore.exe
1580	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1580	iexplore.exe
1580	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1580	iexplore.exe
1580	iexplore.exe
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of UnmapMainImage 7 IoCs

pid	Process
744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1340	Magnify.exe
576	Magnify.exe
2044	Magnify.exe
1820	Magnify.exe
1812	Magnify.exe
992	Magnify.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1340	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	27
PID 744 wrote to memory of 1340	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	27
PID 744 wrote to memory of 1340	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	27
PID 744 wrote to memory of 1340	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	27
PID 744 wrote to memory of 1200	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 744 wrote to memory of 1200	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 744 wrote to memory of 1200	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 744 wrote to memory of 1200	744	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 1200 wrote to memory of 1860	1200	cmd.exe	30
PID 1200 wrote to memory of 1860	1200	cmd.exe	30
PID 1200 wrote to memory of 1860	1200	cmd.exe	30
PID 1200 wrote to memory of 1860	1200	cmd.exe	30
PID 1200 wrote to memory of 1964	1200	cmd.exe	33
PID 1200 wrote to memory of 1964	1200	cmd.exe	33
PID 1200 wrote to memory of 1964	1200	cmd.exe	33
PID 1200 wrote to memory of 1964	1200	cmd.exe	33
PID 924 wrote to memory of 576	924	taskeng.exe	36
PID 924 wrote to memory of 576	924	taskeng.exe	36
PID 924 wrote to memory of 576	924	taskeng.exe	36
PID 924 wrote to memory of 576	924	taskeng.exe	36
PID 924 wrote to memory of 2044	924	taskeng.exe	39
PID 924 wrote to memory of 2044	924	taskeng.exe	39
PID 924 wrote to memory of 2044	924	taskeng.exe	39
PID 924 wrote to memory of 2044	924	taskeng.exe	39
PID 924 wrote to memory of 1820	924	taskeng.exe	40
PID 924 wrote to memory of 1820	924	taskeng.exe	40
PID 924 wrote to memory of 1820	924	taskeng.exe	40
PID 924 wrote to memory of 1820	924	taskeng.exe	40
PID 924 wrote to memory of 1812	924	taskeng.exe	41
PID 924 wrote to memory of 1812	924	taskeng.exe	41
PID 924 wrote to memory of 1812	924	taskeng.exe	41
PID 924 wrote to memory of 1812	924	taskeng.exe	41
PID 924 wrote to memory of 992	924	taskeng.exe	42
PID 924 wrote to memory of 992	924	taskeng.exe	42
PID 924 wrote to memory of 992	924	taskeng.exe	42
PID 924 wrote to memory of 992	924	taskeng.exe	42
PID 1340 wrote to memory of 1580	1340	Magnify.exe	43
PID 1340 wrote to memory of 1580	1340	Magnify.exe	43
PID 1340 wrote to memory of 1580	1340	Magnify.exe	43
PID 1340 wrote to memory of 1580	1340	Magnify.exe	43
PID 1340 wrote to memory of 1552	1340	Magnify.exe	44
PID 1340 wrote to memory of 1552	1340	Magnify.exe	44
PID 1340 wrote to memory of 1552	1340	Magnify.exe	44
PID 1340 wrote to memory of 1552	1340	Magnify.exe	44
PID 1580 wrote to memory of 2032	1580	iexplore.exe	46
PID 1580 wrote to memory of 2032	1580	iexplore.exe	46
PID 1580 wrote to memory of 2032	1580	iexplore.exe	46
PID 1580 wrote to memory of 2032	1580	iexplore.exe	46
PID 1988 wrote to memory of 1144	1988	iexplore.exe	48
PID 1988 wrote to memory of 1144	1988	iexplore.exe	48
PID 1988 wrote to memory of 1144	1988	iexplore.exe	48
PID 1988 wrote to memory of 1144	1988	iexplore.exe	48
PID 1340 wrote to memory of 1640	1340	Magnify.exe	49
PID 1340 wrote to memory of 1640	1340	Magnify.exe	49
PID 1340 wrote to memory of 1640	1340	Magnify.exe	49
PID 1340 wrote to memory of 1640	1340	Magnify.exe	49
PID 1340 wrote to memory of 112	1340	Magnify.exe	53
PID 1340 wrote to memory of 112	1340	Magnify.exe	53
PID 1340 wrote to memory of 112	1340	Magnify.exe	53
PID 1340 wrote to memory of 112	1340	Magnify.exe	53
PID 112 wrote to memory of 1604	112	cmd.exe	55
PID 112 wrote to memory of 1604	112	cmd.exe	55
PID 112 wrote to memory of 1604	112	cmd.exe	55
PID 112 wrote to memory of 1348	112	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  "C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2032
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1552
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1640
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "Magnify.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "Magnify.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1348
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {E1628EBF-051D-4CC3-9911-6ED8D3398B10} S-1-5-21-2932610838-281738825-1127631353-1000:NXLKCZKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:576
- C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2044
- C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1820
- C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:1812
- C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1144

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{989245D1-B6BA-11EC-9158-EA5C3F5CE8CA}.dat

Filesize
4KB

MD5
51c3636cee7e789348e9c9b3587627fd

SHA1
baa5cd17ab06179f0a9101fcc7f13ae28d47f266

SHA256
daef8423e04ad5693614702441420690e1e6f6a9de373d69d93ebd523971d2eb

SHA512
4001476752f3bc31ea1b200a4e0ee57212944c2ab5b2d7c876967225892735985c45312ec662f909207556dd3b110fe0ab9b5f91f23a45d85c14b236fdf5a2ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99106EB1-B6BA-11EC-9158-EA5C3F5CE8CA}.dat

Filesize
5KB

MD5
b6aed7382f09345d8f4562fabaaf198b

SHA1
008cb86d4ce8f767ef85bba58516a53274c81411

SHA256
20edb66cd42ccb0a9fad6b68e4ef1c7f676c25488b5c54111ebfb6836e8788b6

SHA512
24526bbc81913a02aaef54cfcc3e23cb40294ff06820c4062ef36100de0efefbe48af9329d46cf98427d3322f908f840143d8e1dae2e10d2e3d74b407638a589

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D02DGO4M.txt

Filesize
608B

MD5
e69b2fb457af512636f6ca61aa599c50

SHA1
0a211c3fdd85607cc8c030193726e3f1b1a1970a

SHA256
e9763e5d9b864d1f09642529ef56f3ef142a484ad4a3b8549892fc8f5902e523

SHA512
b7380edcd61da8de818d3cee1d305eee67f92fa0ca570fc19c01e5459062d698dae7b10c4f94f44d8baee3d495bd07a3dbb283cb42394db04d1a841e614f2fae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk

Filesize
1KB

MD5
dc2b4239ac6466d2ca57a50cd8f1b225

SHA1
cdc7afe46379766ed32fa4a435582916d216e2cf

SHA256
7fc7093f8b6610ae170cb999e8760cf8cff20ea632a813c88e9640d0cafbbee2

SHA512
d778cd889726471615142b737a0ece80843db08f8529fdb915e615913ba21ab50ba0010c347cdb8d1a5c18f5b1fb338978454e67dda5a7e98cffb69476343423

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
9357e871f296ae41cc11f1384bdd962b

SHA1
5df87b6f23db9fc0483fcb602b6c7050aa721336

SHA256
e6c158e6fc99319b7718687d95d2c7e9c1c9cb7f77d2439d8fb5a7634f94b049

SHA512
718d3e7d9b97aad2c470290a5e8b0b2073de96cfe82e53017e51bbc5a1bf5fac1dbde6c9c527b14e8117512feebd0da649ab73665b33fc2c1ec6f1fb91f07238

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
7f5d3579a0244aef70c265bec89674df

SHA1
174b7b561fdbe4461614304b82bfef619256473a

SHA256
07c6f074956a5398a6ec373ca280d03f13d5d2898a8ac4127e0aeee55cd3ef05

SHA512
85b5a50dd4fda0477d5e4473af17818fc4ecb7a9e6e01de9c910279ca4a92b60bebb497b55889cd89aea17c46a88319990fdc987ab7c32d40c47e3dcc140b7d9

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url

Filesize
85B

MD5
a512326ddde6b2382059557ee989e706

SHA1
d0fd11bb49fe190d1addecc2e3126bbd4a7d06c1

SHA256
18b9bd3353f3a7d4f8030b3c5527432bbcd041571d31ce07e696bbd307c43fe8

SHA512
ee156ec1a36f47ce1a7805ffc682243489aa41e4c7c2fb2762fe663c0aaf3f709e83c2e0f6e687e8adc37d1633ddd294697b709e94f98c51f4ee5ae90cde0b72

Download Submit
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
\Users\Admin\AppData\Roaming\{733118C5-0E24-B662-40F1-057F1DAF7894}\Magnify.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/576-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/744-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/744-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/744-55-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/992-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1340-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1552-89-0x000007FEFBB61000-0x000007FEFBB63000-memory.dmp

Filesize
8KB

Download
memory/1812-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1820-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2044-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download