8b02927265e5ec4e7da20d1a45187ed80fcc5a8de9c2bef830eeb844b395a786

Resubmissions

29/06/2022, 11:24

220629-nh7seahbap 10

29/06/2022, 10:55

220629-m1cvbaghfq 10

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29/06/2022, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

7.7MB
MD5

a7ab0969bf6641cd0c7228ae95f6d217
SHA1

002971b6d178698bf7930b5b89c201750d80a07e
SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512

7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\\OnHnnBvUej-RECOVER-README.txt

Ransom Note

-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 3 IoCs

pid	Process
1724	svchost.exe
4340	enc.exe
5056	enc.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PushSwitch.raw => C:\Users\Admin\Pictures\PushSwitch.raw.OnHnnBvUej	enc.exe
File renamed	C:\Users\Admin\Pictures\LockWrite.tif => C:\Users\Admin\Pictures\LockWrite.tif.OnHnnBvUej	enc.exe
File opened for modification	C:\Users\Admin\Pictures\NewClose.tiff	enc.exe
File renamed	C:\Users\Admin\Pictures\HideWait.png => C:\Users\Admin\Pictures\HideWait.png.OnHnnBvUej	enc.exe
File renamed	C:\Users\Admin\Pictures\ImportComplete.tif => C:\Users\Admin\Pictures\ImportComplete.tif.OnHnnBvUej	enc.exe
File renamed	C:\Users\Admin\Pictures\NewClose.tiff => C:\Users\Admin\Pictures\NewClose.tiff.OnHnnBvUej	enc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	enc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe"	enc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Z:	enc.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	enc.exe
File opened (read-only)	\??\R:	enc.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\N:	enc.exe
File opened (read-only)	\??\E:	enc.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	enc.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\G:	enc.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\S:	enc.exe
File opened (read-only)	\??\W:	enc.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\H:	enc.exe
File opened (read-only)	\??\J:	enc.exe
File opened (read-only)	\??\K:	enc.exe
File opened (read-only)	\??\P:	enc.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\T:	enc.exe
File opened (read-only)	\??\Y:	enc.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\A:	enc.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	enc.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\M:	enc.exe
File opened (read-only)	\??\O:	enc.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\F:	enc.exe
File opened (read-only)	\??\U:	enc.exe
File opened (read-only)	\??\V:	enc.exe
File opened (read-only)	\??\M:	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OnHnnBvUej-RECOVER-README.txt	enc.exe
File created	C:\Program Files\OnHnnBvUej-RECOVER-README.txt	enc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\OnHnnBvUej-RECOVER-README.txt	enc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2924	vssadmin.exe
3476	vssadmin.exe
2224	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	enc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe
2764	enc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	enc.exe
Token: SeBackupPrivilege	4996	vssvc.exe
Token: SeRestorePrivilege	4996	vssvc.exe
Token: SeAuditPrivilege	4996	vssvc.exe
Token: SeAuditPrivilege	2076	svchost.exe
Token: SeAuditPrivilege	2076	svchost.exe
Token: SeAuditPrivilege	2076	svchost.exe
Token: SeAuditPrivilege	2076	svchost.exe
Token: SeDebugPrivilege	5056	enc.exe
Token: SeDebugPrivilege	4340	enc.exe
Token: SeAuditPrivilege	2076	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe
Token: SeAuditPrivilege	1636	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2324	2764	enc.exe	84
PID 2764 wrote to memory of 2324	2764	enc.exe	84
PID 2324 wrote to memory of 2924	2324	cmd.exe	86
PID 2324 wrote to memory of 2924	2324	cmd.exe	86
PID 2764 wrote to memory of 1724	2764	enc.exe	31
PID 1724 wrote to memory of 4340	1724	svchost.exe	97
PID 1724 wrote to memory of 4340	1724	svchost.exe	97
PID 1724 wrote to memory of 5056	1724	svchost.exe	99
PID 1724 wrote to memory of 5056	1724	svchost.exe	99
PID 5056 wrote to memory of 4888	5056	enc.exe	101
PID 5056 wrote to memory of 4888	5056	enc.exe	101
PID 4340 wrote to memory of 4008	4340	enc.exe	103
PID 4340 wrote to memory of 4008	4340	enc.exe	103
PID 4888 wrote to memory of 3476	4888	cmd.exe	105
PID 4888 wrote to memory of 3476	4888	cmd.exe	105
PID 4008 wrote to memory of 2224	4008	cmd.exe	106
PID 4008 wrote to memory of 2224	4008	cmd.exe	106

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2224
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3476

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit