e49fd2651d5f3d5ffd999104841edd3e6e6dbd342507df6d2201720bdca65a74

General

Target

svchOst.exe
Size

178KB
MD5

b21a2b18631fc2d5493eb53807075380
SHA1

1c1c7cf048ae795cf6f29351c719772f4c1fb425
SHA256

e49fd2651d5f3d5ffd999104841edd3e6e6dbd342507df6d2201720bdca65a74
SHA512

ca8d5141db157d5691998dd99b7bba882e227c2cf03c99aba71587644ca749a40fcf7f27cfe555253dad61921d7e3a27c3562119b0fc7913c129a04a043ad660

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt

Ransom Note

!!! GREETINGS i-mod.me all other employees !!! What happened ? We are a team of Certified network security experts, after accessing your networks for more than 3 weeks, We hacked almost All your network , All Computers, Servers were hacked due to weak security We Accessed All your Accounts and downloaded all google drive files, gmail contacts , passwords etc Your files, databases, documents .etc , where DOWNLOADED and stored on our private servers We Downloaded 900GB+ of Files, Backups, Databases,IMS, Contract Documents, Property Documents We Locked or Encrypted All files,databases,backups on your computer network What Do You Want ? TO US GETTING MONEY MATTERS && OUR REPUTATION You must pay us to restore your network and all files,databases,documents ... You have Five(5) days to pay or price increases WE DON'T ASK MUCH MONEY How can we contact YOU ? write to this email : filedecryptionsupport@msgsafe.io write on telegram : @decryptionsupport Why did you choose to encrypt our machines instead ? To proof we hacked your networks and we are still in To show the risks && side effects of unsecured network What happens when You pay us ? We Provide you with decryption software to unlock or decrypt all your files on network,servers and computers We remove all malwares virus from your network We Delete All files we downloaded to our servers We provide tips on how to protect your network from another hack What if We Don't Pay You ? We downloaded all your Data, Files, Databases,Credentials,Backups we will publish , leak them on telegram channels ,discord servers, twitter ...etc Everyone on the internet can download for free What if After payment you don't provide help? This is our business. We honour our reputation For Guarantee of successful decryption of all files on computers, servers .. We offer free decryption for not more than 3 encrypted files before we take PAYMENT We will not PAY people like You, We will restore from offline backups ? We will sell all the data we downloaded to get our money We will publish All Files, Documents, database , Credentials for free on the internet ; telegram channels ,discord servers, twitter ...etc Data we downloaded includes IF YOU WANT PROOF OF ALL DOWNLOADED FILES, DATABASES , Documents ... contact us !!! BEWARE !!! DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! - Don't try because you will damage all the files Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

filedecryptionsupport@msgsafe.io

Signatures

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchOst.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ProtectPing.tif => C:\Users\Admin\Pictures\ProtectPing.tif.i_mod_hacked	svchOst.exe
File renamed	C:\Users\Admin\Pictures\SendUpdate.png => C:\Users\Admin\Pictures\SendUpdate.png.i_mod_hacked	svchOst.exe
File renamed	C:\Users\Admin\Pictures\WriteUnblock.png => C:\Users\Admin\Pictures\WriteUnblock.png.i_mod_hacked	svchOst.exe
File opened for modification	C:\Users\Admin\Pictures\CloseJoin.tiff	svchOst.exe
File opened for modification	C:\Users\Admin\Pictures\CompressMount.tiff	svchOst.exe
File renamed	C:\Users\Admin\Pictures\CompressMount.tiff => C:\Users\Admin\Pictures\CompressMount.tiff.i_mod_hacked	svchOst.exe
File renamed	C:\Users\Admin\Pictures\InvokeBlock.raw => C:\Users\Admin\Pictures\InvokeBlock.raw.i_mod_hacked	svchOst.exe
File renamed	C:\Users\Admin\Pictures\RequestUnblock.crw => C:\Users\Admin\Pictures\RequestUnblock.crw.i_mod_hacked	svchOst.exe
File renamed	C:\Users\Admin\Pictures\CloseJoin.tiff => C:\Users\Admin\Pictures\CloseJoin.tiff.i_mod_hacked	svchOst.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 46 IoCs

Processes:

svchOst.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCRELHVT\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A9INZ3MO\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Public\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchOst.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchOst.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	svchOst.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchOst.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS	svchOst.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif	svchOst.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt	svchOst.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00459_.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV	svchOst.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF	svchOst.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF	svchOst.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\LICENSE	svchOst.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3F.GIF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFS.ICO	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF	svchOst.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML	svchOst.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF	svchOst.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nl.pak	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar	svchOst.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	svchOst.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX	svchOst.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\THMBNAIL.PNG	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTL.ICO	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	svchOst.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX.ECF	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	svchOst.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157167.WMF	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF	svchOst.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn	svchOst.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	svchOst.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg	svchOst.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF	svchOst.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\!!!WARNING !!!WARNING !!!WARNING HOW TO RECOVER ALL ENCRYPTED FILES.txt	svchOst.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1968 NOTEPAD.EXE

pid	process
1968	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchOst.exe

pid	process
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe
1176	svchOst.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe
Token: SeIncreaseQuotaPrivilege	584	WMIC.exe
Token: SeSecurityPrivilege	584	WMIC.exe
Token: SeTakeOwnershipPrivilege	584	WMIC.exe
Token: SeLoadDriverPrivilege	584	WMIC.exe
Token: SeSystemProfilePrivilege	584	WMIC.exe
Token: SeSystemtimePrivilege	584	WMIC.exe
Token: SeProfSingleProcessPrivilege	584	WMIC.exe
Token: SeIncBasePriorityPrivilege	584	WMIC.exe
Token: SeCreatePagefilePrivilege	584	WMIC.exe
Token: SeBackupPrivilege	584	WMIC.exe
Token: SeRestorePrivilege	584	WMIC.exe
Token: SeShutdownPrivilege	584	WMIC.exe
Token: SeDebugPrivilege	584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	584	WMIC.exe
Token: SeRemoteShutdownPrivilege	584	WMIC.exe
Token: SeUndockPrivilege	584	WMIC.exe
Token: SeManageVolumePrivilege	584	WMIC.exe
Token: 33	584	WMIC.exe
Token: 34	584	WMIC.exe
Token: 35	584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	584	WMIC.exe
Token: SeSecurityPrivilege	584	WMIC.exe
Token: SeTakeOwnershipPrivilege	584	WMIC.exe
Token: SeLoadDriverPrivilege	584	WMIC.exe
Token: SeSystemProfilePrivilege	584	WMIC.exe
Token: SeSystemtimePrivilege	584	WMIC.exe
Token: SeProfSingleProcessPrivilege	584	WMIC.exe
Token: SeIncBasePriorityPrivilege	584	WMIC.exe
Token: SeCreatePagefilePrivilege	584	WMIC.exe
Token: SeBackupPrivilege	584	WMIC.exe
Token: SeRestorePrivilege	584	WMIC.exe
Token: SeShutdownPrivilege	584	WMIC.exe
Token: SeDebugPrivilege	584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	584	WMIC.exe
Token: SeRemoteShutdownPrivilege	584	WMIC.exe
Token: SeUndockPrivilege	584	WMIC.exe
Token: SeManageVolumePrivilege	584	WMIC.exe
Token: 33	584	WMIC.exe
Token: 34	584	WMIC.exe
Token: 35	584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1692	WMIC.exe
Token: SeSecurityPrivilege	1692	WMIC.exe
Token: SeTakeOwnershipPrivilege	1692	WMIC.exe
Token: SeLoadDriverPrivilege	1692	WMIC.exe
Token: SeSystemProfilePrivilege	1692	WMIC.exe
Token: SeSystemtimePrivilege	1692	WMIC.exe
Token: SeProfSingleProcessPrivilege	1692	WMIC.exe
Token: SeIncBasePriorityPrivilege	1692	WMIC.exe
Token: SeCreatePagefilePrivilege	1692	WMIC.exe
Token: SeBackupPrivilege	1692	WMIC.exe
Token: SeRestorePrivilege	1692	WMIC.exe
Token: SeShutdownPrivilege	1692	WMIC.exe
Token: SeDebugPrivilege	1692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1692	WMIC.exe
Token: SeRemoteShutdownPrivilege	1692	WMIC.exe
Token: SeUndockPrivilege	1692	WMIC.exe
Token: SeManageVolumePrivilege	1692	WMIC.exe
Token: 33	1692	WMIC.exe
Token: 34	1692	WMIC.exe
Token: 35	1692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1692	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchOst.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1176 wrote to memory of 792	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 792	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 792	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 792	1176	svchOst.exe	cmd.exe
PID 792 wrote to memory of 584	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 584	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 584	792	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 2036	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 2036	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 2036	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 2036	1176	svchOst.exe	cmd.exe
PID 2036 wrote to memory of 1692	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1692	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 1692	2036	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 884	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 884	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 884	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 884	1176	svchOst.exe	cmd.exe
PID 884 wrote to memory of 1976	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1976	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1976	884	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1684	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1684	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1684	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1684	1176	svchOst.exe	cmd.exe
PID 1684 wrote to memory of 1704	1684	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 1704	1684	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 1704	1684	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1128	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1128	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1128	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1128	1176	svchOst.exe	cmd.exe
PID 1128 wrote to memory of 1772	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1772	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 1772	1128	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1520	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1520	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1520	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1520	1176	svchOst.exe	cmd.exe
PID 1520 wrote to memory of 1172	1520	cmd.exe	WMIC.exe
PID 1520 wrote to memory of 1172	1520	cmd.exe	WMIC.exe
PID 1520 wrote to memory of 1172	1520	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 524	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 524	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 524	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 524	1176	svchOst.exe	cmd.exe
PID 524 wrote to memory of 1304	524	cmd.exe	WMIC.exe
PID 524 wrote to memory of 1304	524	cmd.exe	WMIC.exe
PID 524 wrote to memory of 1304	524	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1124	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1124	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1124	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1124	1176	svchOst.exe	cmd.exe
PID 1124 wrote to memory of 1948	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1948	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1948	1124	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1608	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1608	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1608	1176	svchOst.exe	cmd.exe
PID 1176 wrote to memory of 1608	1176	svchOst.exe	cmd.exe
PID 1608 wrote to memory of 1592	1608	cmd.exe	WMIC.exe
PID 1608 wrote to memory of 1592	1608	cmd.exe	WMIC.exe
PID 1608 wrote to memory of 1592	1608	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1692	1176	svchOst.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\svchOst.exe
"C:\Users\Admin\AppData\Local\Temp\svchOst.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EDCFA4FE-1F6C-442C-8EF3-9995E441F70D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EDCFA4FE-1F6C-442C-8EF3-9995E441F70D}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E532BCB-120D-4D19-962B-2BB905B2BD42}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E532BCB-120D-4D19-962B-2BB905B2BD42}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06DE4A3E-25E2-40DF-93F8-A8E22F682ABA}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06DE4A3E-25E2-40DF-93F8-A8E22F682ABA}'" delete
3⤵
PID:1976

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8A8043D-FF62-4E61-85AD-2A438E353E18}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8A8043D-FF62-4E61-85AD-2A438E353E18}'" delete
3⤵
PID:1704

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{203BFC31-E561-44FB-B2A1-88ACF2C92243}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{203BFC31-E561-44FB-B2A1-88ACF2C92243}'" delete
3⤵
PID:1772

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89F5BFE8-FBAE-45FC-A688-4566209A3232}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89F5BFE8-FBAE-45FC-A688-4566209A3232}'" delete
3⤵
PID:1172

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40BCF200-47C0-41AC-91FA-0D446BABEB4D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40BCF200-47C0-41AC-91FA-0D446BABEB4D}'" delete
3⤵
PID:1304

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8ADC23FB-816F-4E3A-B37D-131A51A1B4E3}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8ADC23FB-816F-4E3A-B37D-131A51A1B4E3}'" delete
3⤵
PID:1948

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C9333B9-35AA-4E5F-B471-A6F7871710A0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C9333B9-35AA-4E5F-B471-A6F7871710A0}'" delete
3⤵
PID:1592

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B8B9F13-14EB-4E2B-8A39-F8F9883D9B09}'" delete
2⤵
PID:1692

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B8B9F13-14EB-4E2B-8A39-F8F9883D9B09}'" delete
3⤵
PID:1332

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDCAB913-132C-4F5E-9D24-632273DB574D}'" delete
2⤵
PID:1976

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDCAB913-132C-4F5E-9D24-632273DB574D}'" delete
3⤵
PID:580

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AFB1A4D-CF63-42AA-8277-B539C726A3FE}'" delete
2⤵
PID:1704

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1AFB1A4D-CF63-42AA-8277-B539C726A3FE}'" delete
3⤵
PID:528

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97D2D227-D356-42E4-9F1E-F0E2C39F04A8}'" delete
2⤵
PID:1772

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97D2D227-D356-42E4-9F1E-F0E2C39F04A8}'" delete
3⤵
PID:1648

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6CA420-4030-4B5A-BE77-7CE219FD5560}'" delete
2⤵
PID:1172

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6CA420-4030-4B5A-BE77-7CE219FD5560}'" delete
3⤵
PID:1636

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F7E739E-02C8-4213-841E-D52E6F6C4CDA}'" delete
2⤵
PID:1820

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F7E739E-02C8-4213-841E-D52E6F6C4CDA}'" delete
3⤵
PID:584

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25279260-6A38-46F0-B974-0A42D6DAC829}'" delete
2⤵
PID:852

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25279260-6A38-46F0-B974-0A42D6DAC829}'" delete
3⤵
PID:1016

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A355AA25-0156-45D2-97A4-253D64FB7F34}'" delete
2⤵
PID:1664

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A355AA25-0156-45D2-97A4-253D64FB7F34}'" delete
3⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2FD0C5D-9578-479A-ABF4-C79131ED53FC}'" delete
2⤵
PID:1008

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2FD0C5D-9578-479A-ABF4-C79131ED53FC}'" delete
3⤵
PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UpdateResume.mpv2.i_mod_hacked
1⤵
- Modifies registry class
PID:1304

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UpdateResume.mpv2.i_mod_hacked
2⤵
- Opens file in notepad (likely ransom note)
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\UpdateResume.mpv2.i_mod_hacked
Filesize
664KB

MD5
187e46ac2a88c18164bd4adc5361e499

SHA1
da0ef4ce0671dc4e3fb036bb12bf2a0118025b99

SHA256
d863acb598b1c029b9af7600136c564f1b247fa866a9f8dcc5caa4f9bcf48475

SHA512
e235347c98519b4989c7f2fb3bbbc5d8dcdefb9b2ad88a4ea7eb62c9b9a0a3dcf5b624f0f235ba882411c1a7a124603fcd3db1810c0202b4f2ffadee77211678

Download Submit
memory/524-67-0x0000000000000000-mapping.dmp

Download
memory/528-78-0x0000000000000000-mapping.dmp

Download
memory/580-76-0x0000000000000000-mapping.dmp

Download
memory/584-56-0x0000000000000000-mapping.dmp

Download
memory/584-84-0x0000000000000000-mapping.dmp

Download
memory/792-55-0x0000000000000000-mapping.dmp

Download
memory/852-85-0x0000000000000000-mapping.dmp

Download
memory/884-59-0x0000000000000000-mapping.dmp

Download
memory/1008-89-0x0000000000000000-mapping.dmp

Download
memory/1016-86-0x0000000000000000-mapping.dmp

Download
memory/1124-69-0x0000000000000000-mapping.dmp

Download
memory/1128-63-0x0000000000000000-mapping.dmp

Download
memory/1172-81-0x0000000000000000-mapping.dmp

Download
memory/1172-66-0x0000000000000000-mapping.dmp

Download
memory/1176-54-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1224-90-0x0000000000000000-mapping.dmp

Download
memory/1304-68-0x0000000000000000-mapping.dmp

Download
memory/1332-74-0x0000000000000000-mapping.dmp

Download
memory/1520-65-0x0000000000000000-mapping.dmp

Download
memory/1592-72-0x0000000000000000-mapping.dmp

Download
memory/1608-71-0x0000000000000000-mapping.dmp

Download
memory/1636-82-0x0000000000000000-mapping.dmp

Download
memory/1648-80-0x0000000000000000-mapping.dmp

Download
memory/1664-87-0x0000000000000000-mapping.dmp

Download
memory/1684-61-0x0000000000000000-mapping.dmp

Download
memory/1692-73-0x0000000000000000-mapping.dmp

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download
memory/1704-62-0x0000000000000000-mapping.dmp

Download
memory/1704-77-0x0000000000000000-mapping.dmp

Download
memory/1772-64-0x0000000000000000-mapping.dmp

Download
memory/1772-79-0x0000000000000000-mapping.dmp

Download
memory/1808-88-0x0000000000000000-mapping.dmp

Download
memory/1820-83-0x0000000000000000-mapping.dmp

Download
memory/1948-70-0x0000000000000000-mapping.dmp

Download
memory/1968-91-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1976-75-0x0000000000000000-mapping.dmp

Download
memory/1976-60-0x0000000000000000-mapping.dmp

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads