Analysis Overview
SHA256
a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a
Threat Level: Known bad
The file 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.zip was found to be: Known bad.
Malicious Activity Summary
Maze
suricata: ET MALWARE Maze/ID Ransomware Activity
Deletes shadow copies
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-25 13:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-25 13:37
Reported
2022-05-25 14:07
Platform
win7-20220414-en
Max time kernel
1541s
Max time network
1248s
Command Line
Signatures
Maze
suricata: ET MALWARE Maze/ID Ransomware Activity
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.7ZzBSjf | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertToRequest.tiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertToRequest.tiff => C:\Users\Admin\Pictures\ConvertToRequest.tiff.K8M5R | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.IN6l95 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RemoveConfirm.tif => C:\Users\Admin\Pictures\RemoveConfirm.tif.7ZzBSjf | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.7ZzBSjf | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddPush.tif => C:\Users\Admin\Pictures\AddPush.tif.K8M5R | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompressInstall.tif => C:\Users\Admin\Pictures\CompressInstall.tif.K8M5R | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.XkDOly | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\885e098f19647d13.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\LimitSkip.mpeg2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SwitchInstall.mpa | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DisablePublish.shtml | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\InitializeProtect.png | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DisablePublish.vssx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\OutRepair.iso | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\WaitRename.pptm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\885e098f19647d13.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\CompleteUpdate.css | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ConnectPush.3gp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\InitializeStart.eprtx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ReceivePublish.docx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UnblockUnregister.mpp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UndoApprove.xlsm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\885e098f19647d13.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\AssertUnregister.ex_ | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\EnterDeny.vbe | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\885e098f19647d13.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\RevokeEnter.ppsm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\AddExpand.xhtml | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PublishConnect.mhtml | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\885e098f19647d13.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\MergeSync.wma | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ResetReceive.aifc | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DisconnectRegister.lock | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\LockImport.asx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PublishWait.wvx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DenySync.gif | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\GrantRequest.dxf | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\885e098f19647d13.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DenyExport.doc | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\LockStep.ADTS | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\StartCompress.ods | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1980 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1980 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1980 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wordupd.exe
"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\ai\..\Windows\fooy\..\system32\dpiu\tg\..\..\wbem\lk\qvy\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x180
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x454
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp |
Files
memory/1980-54-0x00000000004C0000-0x0000000000561000-memory.dmp
memory/1980-55-0x0000000076C01000-0x0000000076C03000-memory.dmp
memory/1980-56-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/340-57-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-25 13:37
Reported
2022-05-25 14:03
Platform
win10v2004-20220414-en
Max time kernel
1429s
Max time network
1423s
Command Line
Signatures
Maze
suricata: ET MALWARE Maze/ID Ransomware Activity
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\SendSelect.png => C:\Users\Admin\Pictures\SendSelect.png.Th5u | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowRestore.png => C:\Users\Admin\Pictures\ShowRestore.png.Th5u | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestConfirm.png => C:\Users\Admin\Pictures\TestConfirm.png.Th5u | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindRedo.tif => C:\Users\Admin\Pictures\FindRedo.tif.mFM1mh | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\JoinApprove.raw => C:\Users\Admin\Pictures\JoinApprove.raw.SyUuZ7 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveGroup.tif => C:\Users\Admin\Pictures\MoveGroup.tif.W7D9LWH | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\889609ac71af7fdf.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\889609ac71af7fdf.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\EnableGrant.js | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\OutMeasure.jpg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PublishUse.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UndoUnpublish.js | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\889609ac71af7fdf.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ApproveSubmit.tiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DismountUnregister.mp3 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UnblockTest.dotx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DismountReset.midi | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\FormatTest.ttc | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\NewUnlock.xlsb | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UnpublishSave.mpeg3 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\CompareCompress.nfo | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\JoinAdd.potx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UseSwitch.xlsm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ProtectShow.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\889609ac71af7fdf.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UseStep.dwg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\WatchComplete.htm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\EnablePush.search-ms | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PingSwitch.rmi | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SelectRedo.cfg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\FormatInvoke.i64 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SelectExport.WTV | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\StopUninstall.mhtml | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4120 wrote to memory of 5032 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4120 wrote to memory of 5032 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wordupd.exe
"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\dnce\..\Windows\nv\e\..\..\system32\hw\..\wbem\dyg\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x310
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| GB | 51.132.193.105:443 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp |
Files
memory/4120-130-0x00000000021D0000-0x0000000002271000-memory.dmp
memory/4120-131-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/5032-132-0x0000000000000000-mapping.dmp