Malware Analysis Report

2024-10-16 03:14

Sample ID 220414-sfkx3sdbdr
Target aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153
SHA256 aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153
Tags
hive ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153

Threat Level: Known bad

The file aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153 was found to be: Known bad.

Malicious Activity Summary

hive ransomware spyware stealer

Detects Rust x86 variant of Hive Ransomware

Hive family

Hive

Deletes shadow copies

Modifies extensions of user files

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-14 15:04

Signatures

Detects Rust x86 variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Hive family

hive

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-14 15:04

Reported

2022-04-14 15:10

Platform

win7-20220331-en

Max time kernel

40s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe"

Signatures

Detects Rust x86 variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DebugGet.crw => C:\Users\Admin\Pictures\DebugGet.crw.5wsG34db_zZgYLVAvb0W C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened for modification C:\Users\Admin\Pictures\DebugGet.crw.5wsG34db_zZgYLVAvb0W C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File renamed C:\Users\Admin\Pictures\UndoSync.crw => C:\Users\Admin\Pictures\UndoSync.crw.5wsG34db_xkZGczMzMyW C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened for modification C:\Users\Admin\Pictures\UndoSync.crw.5wsG34db_xkZGczMzMyW C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File renamed C:\Users\Admin\Pictures\PingInvoke.crw => C:\Users\Admin\Pictures\PingInvoke.crw.5wsG34db_0lJSWEQEBBG C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened for modification C:\Users\Admin\Pictures\PingInvoke.crw.5wsG34db_0lJSWEQEBBG C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
PID 1692 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
PID 1692 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
PID 1692 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe
PID 1288 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1288 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1288 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1288 wrote to memory of 6480 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1288 wrote to memory of 6492 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1288 wrote to memory of 6492 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1288 wrote to memory of 6492 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1288 wrote to memory of 6492 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1288 wrote to memory of 6612 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\notepad.exe
PID 1288 wrote to memory of 6612 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\notepad.exe
PID 1288 wrote to memory of 6612 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\notepad.exe
PID 1288 wrote to memory of 6612 N/A C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe

"C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe"

C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe

C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe -u abc:abc

C:\Windows\SysWOW64\vssadmin.exe

"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

"C:\Windows\System32\Wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe" C:\HOW_TO_DECRYPT.txt

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\abc.322332655.exe

MD5 23f82ce9f5f8e02614b31cc0810e0d5f
SHA1 0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75
SHA256 206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
SHA512 1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

memory/1288-56-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\abc.322332655.exe

MD5 23f82ce9f5f8e02614b31cc0810e0d5f
SHA1 0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75
SHA256 206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
SHA512 1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe

MD5 23f82ce9f5f8e02614b31cc0810e0d5f
SHA1 0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75
SHA256 206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
SHA512 1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

memory/6480-58-0x0000000000000000-mapping.dmp

memory/6492-59-0x0000000000000000-mapping.dmp

memory/6612-60-0x0000000000000000-mapping.dmp

memory/6612-61-0x0000000076201000-0x0000000076203000-memory.dmp

C:\HOW_TO_DECRYPT.txt

MD5 0214bcaca4b3d3ef139ea5bd3045f52a
SHA1 201d5dc7bf0fd927807c36da52977d21ec0fce58
SHA256 68e36460c5deff70f47732af87120db943c048ae7bcbaade336a84950d7d831a
SHA512 4a033de9b1d5fed4d8579f648d953cd5a968efc14ed52ab3f74d407e3a3efc03b04986255f0dd34d87860001c245bda7437b9a27de289e7edd7e82d260dd049f

C:\Users\Admin\AppData\Local\Temp\abc.322332655.exe

MD5 23f82ce9f5f8e02614b31cc0810e0d5f
SHA1 0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75
SHA256 206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
SHA512 1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-14 15:04

Reported

2022-04-14 15:06

Platform

win10v2004-20220331-en

Max time kernel

129s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe"

Signatures

Detects Rust x86 variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe

"C:\Users\Admin\AppData\Local\Temp\aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153.exe"

C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe

C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe -u abc:abc

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe" C:\HOW_TO_DECRYPT.txt

C:\Windows\SysWOW64\Wbem\wmic.exe

"C:\Windows\System32\Wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
FI 62.115.252.81:80 tcp
GB 51.105.71.137:443 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 13.107.21.200:443 tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:256 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:5901 crl4.digicert.com tcp
US 93.184.220.29:12298 crl4.digicert.com tcp
US 93.184.220.29:260 crl4.digicert.com tcp
US 93.184.220.29:13362 crl4.digicert.com tcp
US 93.184.220.29:1027 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 13.107.21.200:443 tcp
US 52.152.108.96:443 tcp

Files

memory/3440-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe

MD5 23f82ce9f5f8e02614b31cc0810e0d5f
SHA1 0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75
SHA256 206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
SHA512 1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

C:\Users\Admin\AppData\Local\Temp\abc.2041320234.exe

MD5 23f82ce9f5f8e02614b31cc0810e0d5f
SHA1 0bbde5e6b3aefc33014ec3c1f1e61d8664a33a75
SHA256 206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
SHA512 1231dc5046cb609b5cf2240a95cb728842048609a93d3034984948f9fe99ed54c508e154f3f7516f9b15a8244ec49574dc6d6ad4a95daa8ed6bcf8e4fbf4f52d

memory/8628-127-0x0000000000000000-mapping.dmp

memory/8656-128-0x0000000000000000-mapping.dmp

C:\HOW_TO_DECRYPT.txt

MD5 0214bcaca4b3d3ef139ea5bd3045f52a
SHA1 201d5dc7bf0fd927807c36da52977d21ec0fce58
SHA256 68e36460c5deff70f47732af87120db943c048ae7bcbaade336a84950d7d831a
SHA512 4a033de9b1d5fed4d8579f648d953cd5a968efc14ed52ab3f74d407e3a3efc03b04986255f0dd34d87860001c245bda7437b9a27de289e7edd7e82d260dd049f