Analysis
-
max time kernel
155s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-06-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
svchOst.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
svchOst.exe
Resource
win10v2004-20220414-en
General
-
Target
svchOst.exe
-
Size
178KB
-
MD5
b21a2b18631fc2d5493eb53807075380
-
SHA1
1c1c7cf048ae795cf6f29351c719772f4c1fb425
-
SHA256
e49fd2651d5f3d5ffd999104841edd3e6e6dbd342507df6d2201720bdca65a74
-
SHA512
ca8d5141db157d5691998dd99b7bba882e227c2cf03c99aba71587644ca749a40fcf7f27cfe555253dad61921d7e3a27c3562119b0fc7913c129a04a043ad660
Malware Config
Extracted
C:\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt
filedecryptionsupport@msgsafe.io
Signatures
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchOst.exedescription ioc process File renamed C:\Users\Admin\Pictures\ProtectPing.tif => C:\Users\Admin\Pictures\ProtectPing.tif.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\SendUpdate.png => C:\Users\Admin\Pictures\SendUpdate.png.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\WriteUnblock.png => C:\Users\Admin\Pictures\WriteUnblock.png.i_mod_hacked svchOst.exe File opened for modification C:\Users\Admin\Pictures\CloseJoin.tiff svchOst.exe File opened for modification C:\Users\Admin\Pictures\CompressMount.tiff svchOst.exe File renamed C:\Users\Admin\Pictures\CompressMount.tiff => C:\Users\Admin\Pictures\CompressMount.tiff.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\InvokeBlock.raw => C:\Users\Admin\Pictures\InvokeBlock.raw.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\RequestUnblock.crw => C:\Users\Admin\Pictures\RequestUnblock.crw.i_mod_hacked svchOst.exe File renamed C:\Users\Admin\Pictures\CloseJoin.tiff => C:\Users\Admin\Pictures\CloseJoin.tiff.i_mod_hacked svchOst.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
Processes:
svchOst.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCRELHVT\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI svchOst.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Music\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A9INZ3MO\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini svchOst.exe File opened for modification C:\Program Files (x86)\desktop.ini svchOst.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchOst.exe File opened for modification C:\Program Files\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchOst.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchOst.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchOst.exe File opened for modification C:\Users\Public\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchOst.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchOst.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini svchOst.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchOst.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS svchOst.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif svchOst.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00459_.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV svchOst.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF svchOst.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF svchOst.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\LICENSE svchOst.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3F.GIF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFS.ICO svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF svchOst.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML svchOst.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF svchOst.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nl.pak svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar svchOst.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png svchOst.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX svchOst.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\THMBNAIL.PNG svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTL.ICO svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml svchOst.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX.ECF svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm svchOst.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157167.WMF svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF svchOst.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn svchOst.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg svchOst.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg svchOst.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF svchOst.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt svchOst.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1968 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchOst.exepid process 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe 1176 svchOst.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2016 vssvc.exe Token: SeRestorePrivilege 2016 vssvc.exe Token: SeAuditPrivilege 2016 vssvc.exe Token: SeIncreaseQuotaPrivilege 584 WMIC.exe Token: SeSecurityPrivilege 584 WMIC.exe Token: SeTakeOwnershipPrivilege 584 WMIC.exe Token: SeLoadDriverPrivilege 584 WMIC.exe Token: SeSystemProfilePrivilege 584 WMIC.exe Token: SeSystemtimePrivilege 584 WMIC.exe Token: SeProfSingleProcessPrivilege 584 WMIC.exe Token: SeIncBasePriorityPrivilege 584 WMIC.exe Token: SeCreatePagefilePrivilege 584 WMIC.exe Token: SeBackupPrivilege 584 WMIC.exe Token: SeRestorePrivilege 584 WMIC.exe Token: SeShutdownPrivilege 584 WMIC.exe Token: SeDebugPrivilege 584 WMIC.exe Token: SeSystemEnvironmentPrivilege 584 WMIC.exe Token: SeRemoteShutdownPrivilege 584 WMIC.exe Token: SeUndockPrivilege 584 WMIC.exe Token: SeManageVolumePrivilege 584 WMIC.exe Token: 33 584 WMIC.exe Token: 34 584 WMIC.exe Token: 35 584 WMIC.exe Token: SeIncreaseQuotaPrivilege 584 WMIC.exe Token: SeSecurityPrivilege 584 WMIC.exe Token: SeTakeOwnershipPrivilege 584 WMIC.exe Token: SeLoadDriverPrivilege 584 WMIC.exe Token: SeSystemProfilePrivilege 584 WMIC.exe Token: SeSystemtimePrivilege 584 WMIC.exe Token: SeProfSingleProcessPrivilege 584 WMIC.exe Token: SeIncBasePriorityPrivilege 584 WMIC.exe Token: SeCreatePagefilePrivilege 584 WMIC.exe Token: SeBackupPrivilege 584 WMIC.exe Token: SeRestorePrivilege 584 WMIC.exe Token: SeShutdownPrivilege 584 WMIC.exe Token: SeDebugPrivilege 584 WMIC.exe Token: SeSystemEnvironmentPrivilege 584 WMIC.exe Token: SeRemoteShutdownPrivilege 584 WMIC.exe Token: SeUndockPrivilege 584 WMIC.exe Token: SeManageVolumePrivilege 584 WMIC.exe Token: 33 584 WMIC.exe Token: 34 584 WMIC.exe Token: 35 584 WMIC.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemProfilePrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeProfSingleProcessPrivilege 1692 WMIC.exe Token: SeIncBasePriorityPrivilege 1692 WMIC.exe Token: SeCreatePagefilePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeRemoteShutdownPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: 33 1692 WMIC.exe Token: 34 1692 WMIC.exe Token: 35 1692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
svchOst.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1176 wrote to memory of 792 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 792 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 792 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 792 1176 svchOst.exe cmd.exe PID 792 wrote to memory of 584 792 cmd.exe WMIC.exe PID 792 wrote to memory of 584 792 cmd.exe WMIC.exe PID 792 wrote to memory of 584 792 cmd.exe WMIC.exe PID 1176 wrote to memory of 2036 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 2036 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 2036 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 2036 1176 svchOst.exe cmd.exe PID 2036 wrote to memory of 1692 2036 cmd.exe WMIC.exe PID 2036 wrote to memory of 1692 2036 cmd.exe WMIC.exe PID 2036 wrote to memory of 1692 2036 cmd.exe WMIC.exe PID 1176 wrote to memory of 884 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 884 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 884 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 884 1176 svchOst.exe cmd.exe PID 884 wrote to memory of 1976 884 cmd.exe WMIC.exe PID 884 wrote to memory of 1976 884 cmd.exe WMIC.exe PID 884 wrote to memory of 1976 884 cmd.exe WMIC.exe PID 1176 wrote to memory of 1684 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1684 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1684 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1684 1176 svchOst.exe cmd.exe PID 1684 wrote to memory of 1704 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1704 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1704 1684 cmd.exe WMIC.exe PID 1176 wrote to memory of 1128 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1128 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1128 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1128 1176 svchOst.exe cmd.exe PID 1128 wrote to memory of 1772 1128 cmd.exe WMIC.exe PID 1128 wrote to memory of 1772 1128 cmd.exe WMIC.exe PID 1128 wrote to memory of 1772 1128 cmd.exe WMIC.exe PID 1176 wrote to memory of 1520 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1520 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1520 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1520 1176 svchOst.exe cmd.exe PID 1520 wrote to memory of 1172 1520 cmd.exe WMIC.exe PID 1520 wrote to memory of 1172 1520 cmd.exe WMIC.exe PID 1520 wrote to memory of 1172 1520 cmd.exe WMIC.exe PID 1176 wrote to memory of 524 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 524 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 524 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 524 1176 svchOst.exe cmd.exe PID 524 wrote to memory of 1304 524 cmd.exe WMIC.exe PID 524 wrote to memory of 1304 524 cmd.exe WMIC.exe PID 524 wrote to memory of 1304 524 cmd.exe WMIC.exe PID 1176 wrote to memory of 1124 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1124 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1124 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1124 1176 svchOst.exe cmd.exe PID 1124 wrote to memory of 1948 1124 cmd.exe WMIC.exe PID 1124 wrote to memory of 1948 1124 cmd.exe WMIC.exe PID 1124 wrote to memory of 1948 1124 cmd.exe WMIC.exe PID 1176 wrote to memory of 1608 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1608 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1608 1176 svchOst.exe cmd.exe PID 1176 wrote to memory of 1608 1176 svchOst.exe cmd.exe PID 1608 wrote to memory of 1592 1608 cmd.exe WMIC.exe PID 1608 wrote to memory of 1592 1608 cmd.exe WMIC.exe PID 1608 wrote to memory of 1592 1608 cmd.exe WMIC.exe PID 1176 wrote to memory of 1692 1176 svchOst.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchOst.exe"C:\Users\Admin\AppData\Local\Temp\svchOst.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EDCFA4FE-1F6C-442C-8EF3-9995E441F70D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EDCFA4FE-1F6C-442C-8EF3-9995E441F70D}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E532BCB-120D-4D19-962B-2BB905B2BD42}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E532BCB-120D-4D19-962B-2BB905B2BD42}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06DE4A3E-25E2-40DF-93F8-A8E22F682ABA}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06DE4A3E-25E2-40DF-93F8-A8E22F682ABA}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8A8043D-FF62-4E61-85AD-2A438E353E18}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8A8043D-FF62-4E61-85AD-2A438E353E18}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{203BFC31-E561-44FB-B2A1-88ACF2C92243}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{203BFC31-E561-44FB-B2A1-88ACF2C92243}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89F5BFE8-FBAE-45FC-A688-4566209A3232}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89F5BFE8-FBAE-45FC-A688-4566209A3232}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40BCF200-47C0-41AC-91FA-0D446BABEB4D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40BCF200-47C0-41AC-91FA-0D446BABEB4D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8ADC23FB-816F-4E3A-B37D-131A51A1B4E3}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8ADC23FB-816F-4E3A-B37D-131A51A1B4E3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C9333B9-35AA-4E5F-B471-A6F7871710A0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C9333B9-35AA-4E5F-B471-A6F7871710A0}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B8B9F13-14EB-4E2B-8A39-F8F9883D9B09}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B8B9F13-14EB-4E2B-8A39-F8F9883D9B09}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDCAB913-132C-4F5E-9D24-632273DB574D}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDCAB913-132C-4F5E-9D24-632273DB574D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AFB1A4D-CF63-42AA-8277-B539C726A3FE}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AFB1A4D-CF63-42AA-8277-B539C726A3FE}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97D2D227-D356-42E4-9F1E-F0E2C39F04A8}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97D2D227-D356-42E4-9F1E-F0E2C39F04A8}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6CA420-4030-4B5A-BE77-7CE219FD5560}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6CA420-4030-4B5A-BE77-7CE219FD5560}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F7E739E-02C8-4213-841E-D52E6F6C4CDA}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F7E739E-02C8-4213-841E-D52E6F6C4CDA}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25279260-6A38-46F0-B974-0A42D6DAC829}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25279260-6A38-46F0-B974-0A42D6DAC829}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A355AA25-0156-45D2-97A4-253D64FB7F34}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A355AA25-0156-45D2-97A4-253D64FB7F34}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2FD0C5D-9578-479A-ABF4-C79131ED53FC}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2FD0C5D-9578-479A-ABF4-C79131ED53FC}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UpdateResume.mpv2.i_mod_hacked1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UpdateResume.mpv2.i_mod_hacked2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\UpdateResume.mpv2.i_mod_hackedFilesize
664KB
MD5187e46ac2a88c18164bd4adc5361e499
SHA1da0ef4ce0671dc4e3fb036bb12bf2a0118025b99
SHA256d863acb598b1c029b9af7600136c564f1b247fa866a9f8dcc5caa4f9bcf48475
SHA512e235347c98519b4989c7f2fb3bbbc5d8dcdefb9b2ad88a4ea7eb62c9b9a0a3dcf5b624f0f235ba882411c1a7a124603fcd3db1810c0202b4f2ffadee77211678
-
memory/524-67-0x0000000000000000-mapping.dmp
-
memory/528-78-0x0000000000000000-mapping.dmp
-
memory/580-76-0x0000000000000000-mapping.dmp
-
memory/584-56-0x0000000000000000-mapping.dmp
-
memory/584-84-0x0000000000000000-mapping.dmp
-
memory/792-55-0x0000000000000000-mapping.dmp
-
memory/852-85-0x0000000000000000-mapping.dmp
-
memory/884-59-0x0000000000000000-mapping.dmp
-
memory/1008-89-0x0000000000000000-mapping.dmp
-
memory/1016-86-0x0000000000000000-mapping.dmp
-
memory/1124-69-0x0000000000000000-mapping.dmp
-
memory/1128-63-0x0000000000000000-mapping.dmp
-
memory/1172-81-0x0000000000000000-mapping.dmp
-
memory/1172-66-0x0000000000000000-mapping.dmp
-
memory/1176-54-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1224-90-0x0000000000000000-mapping.dmp
-
memory/1304-68-0x0000000000000000-mapping.dmp
-
memory/1332-74-0x0000000000000000-mapping.dmp
-
memory/1520-65-0x0000000000000000-mapping.dmp
-
memory/1592-72-0x0000000000000000-mapping.dmp
-
memory/1608-71-0x0000000000000000-mapping.dmp
-
memory/1636-82-0x0000000000000000-mapping.dmp
-
memory/1648-80-0x0000000000000000-mapping.dmp
-
memory/1664-87-0x0000000000000000-mapping.dmp
-
memory/1684-61-0x0000000000000000-mapping.dmp
-
memory/1692-73-0x0000000000000000-mapping.dmp
-
memory/1692-58-0x0000000000000000-mapping.dmp
-
memory/1704-62-0x0000000000000000-mapping.dmp
-
memory/1704-77-0x0000000000000000-mapping.dmp
-
memory/1772-64-0x0000000000000000-mapping.dmp
-
memory/1772-79-0x0000000000000000-mapping.dmp
-
memory/1808-88-0x0000000000000000-mapping.dmp
-
memory/1820-83-0x0000000000000000-mapping.dmp
-
memory/1948-70-0x0000000000000000-mapping.dmp
-
memory/1968-91-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB
-
memory/1976-75-0x0000000000000000-mapping.dmp
-
memory/1976-60-0x0000000000000000-mapping.dmp
-
memory/2036-57-0x0000000000000000-mapping.dmp