Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 11:45
Static task
static1
Behavioral task
behavioral1
Sample
z7w3x.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
z7w3x.exe
Resource
win10v2004-20220414-en
General
-
Target
z7w3x.exe
-
Size
621KB
-
MD5
753585e5e099b192cf8d7593dd5ef4bf
-
SHA1
68c5d6b38c9dd9e9e1e888386025352811147028
-
SHA256
e26b2ffb2ee711fc7b04d62911580560794ee4fa9b7fcfade65ee6ff2eed0274
-
SHA512
de96554eaa3971672f05228d26fc6cbe98c8a5b31d35b21c92256c4dfee24ec81a708d601e0be4b80a0a365f620e4b0582f6fcc950f29df2ed6233c8314494ce
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Horse.txt
horsemagyar@onionmail.org
https://icq.com/windows/
https://icq.im/HORSEMAGYAR
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
z7w3x.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MountNew.tiff z7w3x.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1288 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
z7w3x.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run z7w3x.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z7w3x.exe\" e" z7w3x.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
z7w3x.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-790309383-526510583-3802439154-1000\desktop.ini z7w3x.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exez7w3x.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: z7w3x.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: z7w3x.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1296 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1516 timeout.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1548 vssadmin.exe 648 vssadmin.exe 1656 vssadmin.exe 1248 vssadmin.exe 1908 vssadmin.exe 624 vssadmin.exe 808 vssadmin.exe 1128 vssadmin.exe 884 vssadmin.exe 1188 vssadmin.exe 924 vssadmin.exe 960 vssadmin.exe 924 vssadmin.exe 580 vssadmin.exe -
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXErundll32.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\likeoldboobs_auto_file\shell\open rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\likeoldboobs_auto_file\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\likeoldboobs_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\likeoldboobs_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\likeoldboobs_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1332 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1568 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exez7w3x.exepid process 1140 powershell.exe 1684 z7w3x.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
wmic.exevssvc.exepowershell.exedescription pid process Token: SeIncreaseQuotaPrivilege 1700 wmic.exe Token: SeSecurityPrivilege 1700 wmic.exe Token: SeTakeOwnershipPrivilege 1700 wmic.exe Token: SeLoadDriverPrivilege 1700 wmic.exe Token: SeSystemProfilePrivilege 1700 wmic.exe Token: SeSystemtimePrivilege 1700 wmic.exe Token: SeProfSingleProcessPrivilege 1700 wmic.exe Token: SeIncBasePriorityPrivilege 1700 wmic.exe Token: SeCreatePagefilePrivilege 1700 wmic.exe Token: SeBackupPrivilege 1700 wmic.exe Token: SeRestorePrivilege 1700 wmic.exe Token: SeShutdownPrivilege 1700 wmic.exe Token: SeDebugPrivilege 1700 wmic.exe Token: SeSystemEnvironmentPrivilege 1700 wmic.exe Token: SeRemoteShutdownPrivilege 1700 wmic.exe Token: SeUndockPrivilege 1700 wmic.exe Token: SeManageVolumePrivilege 1700 wmic.exe Token: 33 1700 wmic.exe Token: 34 1700 wmic.exe Token: 35 1700 wmic.exe Token: SeBackupPrivilege 1824 vssvc.exe Token: SeRestorePrivilege 1824 vssvc.exe Token: SeAuditPrivilege 1824 vssvc.exe Token: SeIncreaseQuotaPrivilege 1700 wmic.exe Token: SeSecurityPrivilege 1700 wmic.exe Token: SeTakeOwnershipPrivilege 1700 wmic.exe Token: SeLoadDriverPrivilege 1700 wmic.exe Token: SeSystemProfilePrivilege 1700 wmic.exe Token: SeSystemtimePrivilege 1700 wmic.exe Token: SeProfSingleProcessPrivilege 1700 wmic.exe Token: SeIncBasePriorityPrivilege 1700 wmic.exe Token: SeCreatePagefilePrivilege 1700 wmic.exe Token: SeBackupPrivilege 1700 wmic.exe Token: SeRestorePrivilege 1700 wmic.exe Token: SeShutdownPrivilege 1700 wmic.exe Token: SeDebugPrivilege 1700 wmic.exe Token: SeSystemEnvironmentPrivilege 1700 wmic.exe Token: SeRemoteShutdownPrivilege 1700 wmic.exe Token: SeUndockPrivilege 1700 wmic.exe Token: SeManageVolumePrivilege 1700 wmic.exe Token: 33 1700 wmic.exe Token: 34 1700 wmic.exe Token: 35 1700 wmic.exe Token: SeDebugPrivilege 1140 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1568 WINWORD.EXE 1568 WINWORD.EXE 1568 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
z7w3x.exenet.exedescription pid process target process PID 1684 wrote to memory of 996 1684 z7w3x.exe net.exe PID 1684 wrote to memory of 996 1684 z7w3x.exe net.exe PID 1684 wrote to memory of 996 1684 z7w3x.exe net.exe PID 1684 wrote to memory of 996 1684 z7w3x.exe net.exe PID 996 wrote to memory of 464 996 net.exe net1.exe PID 996 wrote to memory of 464 996 net.exe net1.exe PID 996 wrote to memory of 464 996 net.exe net1.exe PID 996 wrote to memory of 464 996 net.exe net1.exe PID 1684 wrote to memory of 1296 1684 z7w3x.exe sc.exe PID 1684 wrote to memory of 1296 1684 z7w3x.exe sc.exe PID 1684 wrote to memory of 1296 1684 z7w3x.exe sc.exe PID 1684 wrote to memory of 1296 1684 z7w3x.exe sc.exe PID 1684 wrote to memory of 1700 1684 z7w3x.exe wmic.exe PID 1684 wrote to memory of 1700 1684 z7w3x.exe wmic.exe PID 1684 wrote to memory of 1700 1684 z7w3x.exe wmic.exe PID 1684 wrote to memory of 1700 1684 z7w3x.exe wmic.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1248 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1248 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1248 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1248 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1908 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1908 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1908 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1908 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1548 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1548 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1548 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1548 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 960 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 960 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 960 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 960 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 648 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 648 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 648 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 648 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 808 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 808 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 808 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 808 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1128 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1128 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1128 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1128 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 624 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 624 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 624 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 624 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 884 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 884 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 884 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 884 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1656 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1656 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1656 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 1656 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 z7w3x.exe vssadmin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
z7w3x.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" z7w3x.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z7w3x.exe"C:\Users\Admin\AppData\Local\Temp\z7w3x.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\z7w3x.exe" >> NUL2⤵
- Deletes itself
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResetMeasure.potx.[865b452aec].[spanielearslook].likeoldboobs1⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitUninstall.wmf.[865b452aec].[spanielearslook].likeoldboobs1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WaitUninstall.wmf.[865b452aec].[spanielearslook].likeoldboobs2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\WaitUninstall.wmf.[865b452aec].[spanielearslook].likeoldboobsFilesize
235KB
MD56d2dfdbbe90fd20ea83a74b1e1301604
SHA14d0319a44dbdf926aeddd083942a61db4311afa9
SHA256974e02f8bd593fd1f9f840d55b12fc86bb4b3dce1ec4bf91d19bc87c0ab309da
SHA51243e85378881e86a86ddd25999f6d76e48f14a3b7d013190d9dd05b2813e2724a2476ce7ad86b873afbd7abb72a2319e8dd6ade64b26cc09b3c0d087534518451
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/464-56-0x0000000000000000-mapping.dmp
-
memory/580-71-0x0000000000000000-mapping.dmp
-
memory/624-67-0x0000000000000000-mapping.dmp
-
memory/648-64-0x0000000000000000-mapping.dmp
-
memory/808-65-0x0000000000000000-mapping.dmp
-
memory/868-87-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmpFilesize
8KB
-
memory/868-86-0x0000000000000000-mapping.dmp
-
memory/884-68-0x0000000000000000-mapping.dmp
-
memory/924-59-0x0000000000000000-mapping.dmp
-
memory/924-70-0x0000000000000000-mapping.dmp
-
memory/960-63-0x0000000000000000-mapping.dmp
-
memory/996-55-0x0000000000000000-mapping.dmp
-
memory/1128-66-0x0000000000000000-mapping.dmp
-
memory/1140-76-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/1140-77-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/1140-74-0x0000000000000000-mapping.dmp
-
memory/1184-73-0x0000000000000000-mapping.dmp
-
memory/1188-72-0x0000000000000000-mapping.dmp
-
memory/1248-60-0x0000000000000000-mapping.dmp
-
memory/1288-78-0x0000000000000000-mapping.dmp
-
memory/1296-57-0x0000000000000000-mapping.dmp
-
memory/1332-92-0x0000000000000000-mapping.dmp
-
memory/1516-79-0x0000000000000000-mapping.dmp
-
memory/1548-62-0x0000000000000000-mapping.dmp
-
memory/1568-84-0x000000007122D000-0x0000000071238000-memory.dmpFilesize
44KB
-
memory/1568-82-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1568-85-0x000000007122D000-0x0000000071238000-memory.dmpFilesize
44KB
-
memory/1568-81-0x0000000070241000-0x0000000070243000-memory.dmpFilesize
8KB
-
memory/1568-88-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1568-80-0x00000000727C1000-0x00000000727C4000-memory.dmpFilesize
12KB
-
memory/1656-69-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1700-58-0x0000000000000000-mapping.dmp
-
memory/1908-61-0x0000000000000000-mapping.dmp