1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2

Analysis

max time kernel
163s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-06-2022 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Size

164KB
MD5

5f2d13576e4906501c91b8bf400e0890
SHA1

adff2761a6afe9ecaa70486c0a04746c676a133b
SHA256

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2
SHA512

29186d7c1702ab738844777a780ce982882727d8fb3ae6e1fd084bffef3ac63fcd7ca4624ee9bf047c909c303deece27f81650b1309280d6609d207e29131dfd

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe\""	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\kasykigy.exe\""	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	ioc	process
File opened (read-only)	\??\S:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\R:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\O:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\N:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\J:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\G:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\W:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\V:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\F:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\E:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\Z:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\I:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\Q:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\M:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\L:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\K:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\Y:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\U:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\P:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\H:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\X:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
File opened (read-only)	\??\T:	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

description	pid	process	target process
PID 3992 set thread context of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

pid	process
3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeBackupPrivilege	2464	vssvc.exe
Token: SeRestorePrivilege	2464	vssvc.exe
Token: SeAuditPrivilege	2464	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

pid	process
3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.execmd.exenet.execmd.exe

description	pid	process	target process
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3992 wrote to memory of 3520	3992	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
PID 3520 wrote to memory of 3288	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 3288	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 3288	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4156	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4156	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4156	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4216	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4216	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4216	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3288 wrote to memory of 4284	3288	cmd.exe	net.exe
PID 3288 wrote to memory of 4284	3288	cmd.exe	net.exe
PID 3288 wrote to memory of 4284	3288	cmd.exe	net.exe
PID 3520 wrote to memory of 4652	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4652	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4652	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4308	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4308	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4308	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 4284 wrote to memory of 3216	4284	net.exe	net1.exe
PID 4284 wrote to memory of 3216	4284	net.exe	net1.exe
PID 4284 wrote to memory of 3216	4284	net.exe	net1.exe
PID 3520 wrote to memory of 3620	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 3620	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 3620	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4432	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4432	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4432	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4312	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4312	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4312	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 1352	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 1352	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 1352	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4996	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4996	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4996	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 4216 wrote to memory of 1508	4216	cmd.exe	WMIC.exe
PID 4216 wrote to memory of 1508	4216	cmd.exe	WMIC.exe
PID 4216 wrote to memory of 1508	4216	cmd.exe	WMIC.exe
PID 3520 wrote to memory of 3972	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 3972	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 3972	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 176	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 176	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 176	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4876	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4876	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 4876	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 1124	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 1124	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe
PID 3520 wrote to memory of 1124	3520	1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
"C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
  C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    PID:176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/176-148-0x0000000000000000-mapping.dmp

Download
memory/648-157-0x0000000000000000-mapping.dmp

Download
memory/1124-150-0x0000000000000000-mapping.dmp

Download
memory/1248-154-0x0000000000000000-mapping.dmp

Download
memory/1352-144-0x0000000000000000-mapping.dmp

Download
memory/1508-146-0x0000000000000000-mapping.dmp

Download
memory/2184-163-0x0000000000000000-mapping.dmp

Download
memory/2328-152-0x0000000000000000-mapping.dmp

Download
memory/2512-155-0x0000000000000000-mapping.dmp

Download
memory/2680-160-0x0000000000000000-mapping.dmp

Download
memory/3016-161-0x0000000000000000-mapping.dmp

Download
memory/3216-140-0x0000000000000000-mapping.dmp

Download
memory/3288-134-0x0000000000000000-mapping.dmp

Download
memory/3452-153-0x0000000000000000-mapping.dmp

Download
memory/3520-131-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3520-130-0x0000000000000000-mapping.dmp

Download
memory/3520-166-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3520-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3620-141-0x0000000000000000-mapping.dmp

Download
memory/3636-165-0x0000000000000000-mapping.dmp

Download
memory/3820-158-0x0000000000000000-mapping.dmp

Download
memory/3972-147-0x0000000000000000-mapping.dmp

Download
memory/3992-132-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/4008-151-0x0000000000000000-mapping.dmp

Download
memory/4156-135-0x0000000000000000-mapping.dmp

Download
memory/4216-136-0x0000000000000000-mapping.dmp

Download
memory/4284-137-0x0000000000000000-mapping.dmp

Download
memory/4308-139-0x0000000000000000-mapping.dmp

Download
memory/4312-143-0x0000000000000000-mapping.dmp

Download
memory/4432-142-0x0000000000000000-mapping.dmp

Download
memory/4444-162-0x0000000000000000-mapping.dmp

Download
memory/4564-159-0x0000000000000000-mapping.dmp

Download
memory/4652-138-0x0000000000000000-mapping.dmp

Download
memory/4832-156-0x0000000000000000-mapping.dmp

Download
memory/4876-149-0x0000000000000000-mapping.dmp

Download
memory/4924-164-0x0000000000000000-mapping.dmp

Download
memory/4996-145-0x0000000000000000-mapping.dmp

Download