gandcrab | 421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de

General

Target

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Size

410KB
MD5

3a6c7506de79ae783f718bc6701fd244
SHA1

a5601ae8bc95cbb887aac2face46d911527c6c2b
SHA256

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de
SHA512

3010eda9988f31b642b130e71c401dcb9642d2e2c0518741e4455e4e9245d8d4484b8dcd77e124dde798567efa74b725b2b831ecd958f72d2230efa37f11707c

Score

10^/10

gandcrab backdoor ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\FTTXQHVO-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FTTXQHVO The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/34850e12b23367ae | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJbw0Ty9cDGqCWBdEsNhnYwiuisxPNcgPD+3/nJtPDikgdk71gP8UZKnfolR7AOPRgezxj6pdwuqFIF7l9kN0HyFwnu/eq3fcXXaJbw6huc4t/8LMKwj8dro1+/og/nTzVvKXcOKxValcWCmthBdB/Eujs5rXyOOhAvVC3W/+grvutY6V0oHVo5gVCMjxDZihQ/RdIBCzxKfjfYAsP0zI3wDEysGgnAzIRTJfogymsircOqYNLCdUN0TsMzQhJvIOJhXp3e8wxU1mtB3Uka9arR3mJqFeS5E9eN2MJ/AL/zlDi9HXZ9qAnQ1cnVrNB4ikz2VU1mgH/ZJi2dN6JZYdnlnQZV9sH6Iy0wiBTYtbdLXj70pDjVJlj2vto6MKgDl8/zBRCV8g8rXAMmWC9gEKrJNMYyBwhZt5YzNoOWngYuiNO0zb1+UX5XvqgpBi4ZeaHQG8BFvxoz4S160zaT5XbO80G1o6d82a8kfKjCa2JEAjmnZwBINMRiN9pLKTA857GSlteh743DljLc4YDKtQqfRPLBH1pN5E54Uu86kNAb7p32H2h6fF0+7R9tY6DOU7v5+TOzC497jMcMc6BvPU1JDDspd8OEymn8UjvCAbNH4wq252U0i3cYDgi4NNem4O9twV/skAiid0BXs2aJsbfdC361ntdgaB8O//3ittx2HR3PTCTtW3p8goPurwN2gopdYqYTB34HpamiJxYrLqCra+KnEE6UadNtXbL5knpSEz7cvnvU7TQBABJA1jsuwnERJ6Bh+nOIJ6fz7DmkUDMKOOD2Am4nd4T+OxVLof+HHT2Nwfn4d247aSx0agv/DoMZrU842SnzLAAMNcLwlZ9wJpKRjfYwFJjSJFvQSE2IIb4jwGJiPRCcda5iKe1Xo4OBqwIICC9QnyJwFpbceYXZc3XmNIYsPLB1Ug7FbWBMMYony3nqd/D/rDJ25Y94coKRujtCxFeiJ6Ek7UxSh+iZsUUTueyzozWtaqrFB4Swnd9VsM09KOotF4h4+6Ti3uy5xYar4A2+qWQV/d09waVIqERQUsib5jKQBNIW34PuBQhyo/zNr0y3gQKVpXOpVZbR1AJYBi/eTqBJMB0DdHqI8psJQKHuKBhyqB8mKUdnSWa0RvR4y3eCQlcn2hAdVEtCA1wnMYcHuJhqBGSg2PlykidsZRVLQxQk1SJO73V4D8lmIRj4SsodU/rrEYWU4aliskBVsK6hPMDuEB1GPvXfJ9GvobMIcpuHdbeaBJ2QdbPpU/ymVlcZeT5wIB06GJGsH61cIGtgmVAYu37WjocM0U15dUX5m8EUZacSJeKKUYXXQtAxALgHT2QuydGA28XHH4fjCbATZ8MOEhC+rBaprjUIyoZuPt58VaYq6FOUav4z7p9Va2GaDU9vI0S1gvx5ruhzLgzuvbRjVJXBn/JWmpqvLKnXhC4hBSh2CjvVMOi3M9kXUjcLGUAaJPuvhwEYPQSKePKBqP01T93ZzzrAFEikALQKFYv4OFzhOqgaYsC46q8XjN4hPOfUmxjysrJuzGv7QbYPuERplK4cGl1yOA5vudUR1fCttumlrBBmxzquYTSUlYvUANMcGmM9aqvIY/3rCfmoya6T4huMTenWY/ou2cgjJrROE+f0wkO2734FC/jIg3vIqLaodM5CO25bdrBAK5Msg/LrBFS7nx33JYZdiKAF6JIydZ+TODHxb5ffQhTfr/PUtJ7T0BDV9eptLTQz6/YMgMzAnm/flhiJmqVZAO7NiWQbW+ZY+FsP6uHy0259FzLGH+f0oKlqVB7Ng7uBhtmt8p4jfFhlul19MHQ3wkSCv0Usb2X7LTiitA04zANzdgeHy11hjc+OOUI/z7F2YqhLoRsiFTKORcFr9opzsP9FyEmPkhviXKl9IvoQfccLi6GGuCvSoBE99Liauz1gQrg4P/Xa4xp9x9pPo7AAuLlJPt2XuqbFudfT1Q+UfS+Q3ejKojRVU1WEx9vFYoXl1hhYZfbrznoeCaTZDZdc0ICJRWq+ighYGjTVRpyNWVGD6FwHfvoGiLI/P5wBPEzeQjJlgyNbGAsGDwMHIRhyEs4C24ZZibw8ubsvzkxMIvdaCTHVLWogdp9h59bWHhlWYgFZt7B7AEZhULccRy92A4P3HterSBjdIfH/0dPBRvbHoUQOfI5yGJl2pcswiXqmwm+Uw0nJ1UaAxVh/e88MAGIi0OyGAsh9Ak/D0MfG6gCklZThHVD9cT39Gk/gqqsA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZDToFRtnYV7ntWsrfYTGmHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4LF2kUDB5eKk/zM2EOskGolYblqABiTtqxHREYgb9CcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJpJFswNcoAhPJnK0+Ce5dALefhGEwg7NrKg3sxA1KwA7/ZizpChFP3vXLMuar1wYZJ3RPRgGKcTnQ1ljgcH8bmQvf3SygQSZnxLJ6lsKw7XIGVYvpajeyfEEcPsAgPy9N3X8IQ3zC3qZcEuPtMkirBZ9MPJGmHt4OJb+RRYcPqYktV/LuurOUzA== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/34850e12b23367ae

Signatures

GandCrab payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1184-57-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab
behavioral1/memory/1184-58-0x0000000000406217-mapping.dmp	family_gandcrab
behavioral1/memory/1184-61-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab
behavioral1/memory/1184-62-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab
behavioral1/memory/1184-63-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddPush.tif => C:\Users\Admin\Pictures\AddPush.tif.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\ConvertToRequest.tiff => C:\Users\Admin\Pictures\ConvertToRequest.tiff.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\RemoveConfirm.tif => C:\Users\Admin\Pictures\RemoveConfirm.tif.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File renamed	C:\Users\Admin\Pictures\CompressInstall.tif => C:\Users\Admin\Pictures\CompressInstall.tif.fttxqhvo	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToRequest.tiff	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	ioc	process
File opened (read-only)	\??\B:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\G:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\H:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\O:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\R:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\E:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\F:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\I:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\K:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\L:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\N:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\P:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\U:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\Y:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\A:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\M:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\S:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\W:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\Z:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\J:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\Q:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\T:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\V:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened (read-only)	\??\X:	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	pid	process	target process
PID 1980 set thread context of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Drops file in Program Files directory 36 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	ioc	process
File opened for modification	C:\Program Files\DisablePublish.shtml	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\PublishConnect.mhtml	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\ResetReceive.aifc	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\FTTXQHVO-DECRYPT.txt	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\UnblockUnregister.mpp	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\FTTXQHVO-DECRYPT.txt	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\FTTXQHVO-DECRYPT.txt	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\AddExpand.xhtml	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\AssertUnregister.ex_	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\EnterDeny.vbe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\PublishWait.wvx	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\DenySync.gif	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\DisablePublish.vssx	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\OutRepair.iso	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\b233604db23367af20.lock	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\GrantRequest.dxf	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\LimitSkip.mpeg2	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\WaitRename.pptm	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\b233604db23367af20.lock	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files\FTTXQHVO-DECRYPT.txt	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\UndoApprove.xlsm	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b233604db23367af20.lock	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\ConnectPush.3gp	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\LockImport.asx	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\StartCompress.ods	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\FTTXQHVO-DECRYPT.txt	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files\b233604db23367af20.lock	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\LockStep.ADTS	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\ReceivePublish.docx	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\b233604db23367af20.lock	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\MergeSync.wma	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\RevokeEnter.ppsm	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\CompleteUpdate.css	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\DenyExport.doc	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\InitializeProtect.png	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
File opened for modification	C:\Program Files\InitializeStart.eprtx	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

pid	process
1184	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
1184	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exewmic.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemProfilePrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeProfSingleProcessPrivilege	1944	wmic.exe
Token: SeIncBasePriorityPrivilege	1944	wmic.exe
Token: SeCreatePagefilePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeDebugPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeRemoteShutdownPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: 33	1944	wmic.exe
Token: 34	1944	wmic.exe
Token: 35	1944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemProfilePrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeProfSingleProcessPrivilege	1944	wmic.exe
Token: SeIncBasePriorityPrivilege	1944	wmic.exe
Token: SeCreatePagefilePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeDebugPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeRemoteShutdownPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: 33	1944	wmic.exe
Token: 34	1944	wmic.exe
Token: 35	1944	wmic.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
"C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
"C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe"
2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
3f9691c1e1baab31fae0a489d531b175

SHA1
276d732915bc82fff823d7ad1da1e7893f9f9009

SHA256
089034cdca0dca253e37b107cac0ea03c3de3a2baffc21a8800116c8b3733fcd

SHA512
93aa032e9a7c14fdd3922b2599b136b61c90b4caadda9e3afda0f8db0b096d38811398f4b4aba6e8c596dda410f12548293d7874cd0fdf9b90ba9cb19cb3b195

Download Submit
memory/1184-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1184-58-0x0000000000406217-mapping.dmp

Download
memory/1184-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1184-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1184-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1944-64-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000001170000-0x00000000011DA000-memory.dmp

Filesize
424KB

Download
memory/1980-55-0x0000000076C01000-0x0000000076C03000-memory.dmp

Filesize
8KB

Download
memory/1980-56-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1980 wrote to memory of 1184	1980	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
PID 1184 wrote to memory of 1944	1184	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	wmic.exe
PID 1184 wrote to memory of 1944	1184	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	wmic.exe
PID 1184 wrote to memory of 1944	1184	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	wmic.exe
PID 1184 wrote to memory of 1944	1184	421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe	wmic.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads