8b02927265e5ec4e7da20d1a45187ed80fcc5a8de9c2bef830eeb844b395a786

Resubmissions

29/06/2022, 11:24

220629-nh7seahbap 10

29/06/2022, 10:55

220629-m1cvbaghfq 10

Analysis

max time kernel
938s
max time network
941s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29/06/2022, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

7.7MB
MD5

a7ab0969bf6641cd0c7228ae95f6d217
SHA1

002971b6d178698bf7930b5b89c201750d80a07e
SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512

7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\\OnHnnBvUej-RECOVER-README.txt

Ransom Note

-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 6 IoCs

pid	Process
3704	enc.exe
4932	enc.exe
2452	enc.exe
2224	enc.exe
1016	enc.exe
4180	enc.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ApproveRequest.crw => C:\Users\Admin\Pictures\ApproveRequest.crw.OnHnnBvUej	enc.exe
File opened for modification	C:\Users\Admin\Pictures\EditResume.tiff	enc.exe
File renamed	C:\Users\Admin\Pictures\ConvertRestart.crw => C:\Users\Admin\Pictures\ConvertRestart.crw.OnHnnBvUej	enc.exe
File renamed	C:\Users\Admin\Pictures\DisconnectResize.crw => C:\Users\Admin\Pictures\DisconnectResize.crw.OnHnnBvUej	enc.exe
File renamed	C:\Users\Admin\Pictures\EditResume.tiff => C:\Users\Admin\Pictures\EditResume.tiff.OnHnnBvUej	enc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	enc.exe

Loads dropped DLL 1 IoCs

pid	Process
2052	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe"	enc.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	enc.exe
File opened (read-only)	\??\Q:	enc.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\A:	enc.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\F:	enc.exe
File opened (read-only)	\??\K:	enc.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\N:	enc.exe
File opened (read-only)	\??\W:	enc.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\G:	enc.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	enc.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\P:	enc.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\B:	enc.exe
File opened (read-only)	\??\U:	enc.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\T:	enc.exe
File opened (read-only)	\??\Z:	enc.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\I:	enc.exe
File opened (read-only)	\??\L:	enc.exe
File opened (read-only)	\??\O:	enc.exe
File opened (read-only)	\??\S:	enc.exe
File opened (read-only)	\??\V:	enc.exe
File opened (read-only)	\??\X:	enc.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	enc.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\J:	enc.exe
File opened (read-only)	\??\M:	enc.exe
File opened (read-only)	\??\Y:	enc.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OnHnnBvUej-RECOVER-README.txt	enc.exe
File created	C:\Program Files\OnHnnBvUej-RECOVER-README.txt	enc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\OnHnnBvUej-RECOVER-README.txt	enc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 7 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3908	vssadmin.exe
1072	vssadmin.exe
1928	vssadmin.exe
1448	vssadmin.exe
4848	vssadmin.exe
2928	vssadmin.exe
1536	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	enc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	enc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe
4104	enc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	enc.exe
Token: SeBackupPrivilege	4724	vssvc.exe
Token: SeRestorePrivilege	4724	vssvc.exe
Token: SeAuditPrivilege	4724	vssvc.exe
Token: SeAuditPrivilege	2052	svchost.exe
Token: SeAuditPrivilege	2052	svchost.exe
Token: SeAuditPrivilege	2052	svchost.exe
Token: SeAuditPrivilege	2052	svchost.exe
Token: SeAuditPrivilege	2052	svchost.exe
Token: SeDebugPrivilege	4932	enc.exe
Token: SeDebugPrivilege	3704	enc.exe
Token: SeDebugPrivilege	2452	enc.exe
Token: SeDebugPrivilege	4180	enc.exe
Token: SeDebugPrivilege	2224	enc.exe
Token: SeDebugPrivilege	1016	enc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4580	4104	enc.exe	86
PID 4104 wrote to memory of 4580	4104	enc.exe	86
PID 4580 wrote to memory of 1072	4580	cmd.exe	88
PID 4580 wrote to memory of 1072	4580	cmd.exe	88
PID 4104 wrote to memory of 2052	4104	enc.exe	92
PID 2052 wrote to memory of 3704	2052	svchost.exe	99
PID 2052 wrote to memory of 3704	2052	svchost.exe	99
PID 2052 wrote to memory of 4932	2052	svchost.exe	101
PID 2052 wrote to memory of 4932	2052	svchost.exe	101
PID 3704 wrote to memory of 4792	3704	enc.exe	104
PID 3704 wrote to memory of 4792	3704	enc.exe	104
PID 4932 wrote to memory of 5000	4932	enc.exe	103
PID 4932 wrote to memory of 5000	4932	enc.exe	103
PID 4792 wrote to memory of 1928	4792	cmd.exe	107
PID 4792 wrote to memory of 1928	4792	cmd.exe	107
PID 5000 wrote to memory of 1448	5000	cmd.exe	108
PID 5000 wrote to memory of 1448	5000	cmd.exe	108
PID 2052 wrote to memory of 2452	2052	svchost.exe	109
PID 2052 wrote to memory of 2452	2052	svchost.exe	109
PID 2052 wrote to memory of 2224	2052	svchost.exe	110
PID 2052 wrote to memory of 2224	2052	svchost.exe	110
PID 2052 wrote to memory of 1016	2052	svchost.exe	112
PID 2052 wrote to memory of 1016	2052	svchost.exe	112
PID 2052 wrote to memory of 4180	2052	svchost.exe	115
PID 2052 wrote to memory of 4180	2052	svchost.exe	115
PID 2452 wrote to memory of 4580	2452	enc.exe	117
PID 2452 wrote to memory of 4580	2452	enc.exe	117
PID 4180 wrote to memory of 2400	4180	enc.exe	118
PID 4180 wrote to memory of 2400	4180	enc.exe	118
PID 2224 wrote to memory of 1768	2224	enc.exe	120
PID 2224 wrote to memory of 1768	2224	enc.exe	120
PID 1016 wrote to memory of 2464	1016	enc.exe	119
PID 1016 wrote to memory of 2464	1016	enc.exe	119
PID 2400 wrote to memory of 2928	2400	cmd.exe	126
PID 2400 wrote to memory of 2928	2400	cmd.exe	126
PID 1768 wrote to memory of 4848	1768	cmd.exe	125
PID 1768 wrote to memory of 4848	1768	cmd.exe	125
PID 4580 wrote to memory of 1536	4580	cmd.exe	127
PID 4580 wrote to memory of 1536	4580	cmd.exe	127
PID 2464 wrote to memory of 3908	2464	cmd.exe	128
PID 2464 wrote to memory of 3908	2464	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1928
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1448
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1536
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4848
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3908
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\OnHnnBvUej-RECOVER-README.txt
1⤵
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\OnHnnBvUej-RECOVER-README.txt

Filesize
1KB

MD5
3a29ccf8fcbac5d1797999d3699375b1

SHA1
9993778053593d2704992f9e9cd7b79f4bd4a244

SHA256
534b085697b8406738b3281c1ca067cc90290ca8d44d2608eecdf4c0626c7e16

SHA512
99c1c76acd7e6ba366505000a21dc77400cb5531203f658d311d4b3926db90f331b870bb4d0bd6cd7731a41657b97d62feedb6fab74cee602c8fd91cc1d73600

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit