Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 03:20
Static task
static1
Behavioral task
behavioral1
Sample
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Resource
win10v2004-20220722-en
General
-
Target
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
-
Size
391KB
-
MD5
556f80cd43688a4207fdf1d3af8231cf
-
SHA1
1e284ecbc04e8448c5409eaa86fe6dd0f2005e52
-
SHA256
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
-
SHA512
61de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.slr849.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.ret5kr.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.zgf48j.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.xltnet.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.onion/B33F-61B5-F13F-0063-7090
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.xlfp45.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.slr849.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.ret5kr.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.zgf48j.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.xltnet.win/B33F-61B5-F13F-0063-7090
http://cerberhhyed5frqa.onion/B33F-61B5-F13F-0063-7090
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (12)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (12)
-
Contacts a large (16386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1156 bcdedit.exe 1648 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" unlodctr.exe -
Executes dropped EXE 1 IoCs
Processes:
unlodctr.exepid process 2020 unlodctr.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
unlodctr.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\NewExit.tiff unlodctr.exe File opened for modification C:\Users\Admin\Pictures\MountGrant.tiff unlodctr.exe File opened for modification C:\Users\Admin\Pictures\UnblockAdd.tiff unlodctr.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1168 cmd.exe -
Drops startup file 1 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe -
Loads dropped DLL 3 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.exepid process 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe 2020 unlodctr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run unlodctr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" unlodctr.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce unlodctr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" unlodctr.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe -
Processes:
unlodctr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unlodctr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
unlodctr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3C37.bmp" unlodctr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1436 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1316 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\Desktop 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\Desktop unlodctr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\\unlodctr.exe\"" unlodctr.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F2265F1-0BC9-11ED-AA2A-6ACE15CCDF97} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0EF78D31-0BC9-11ED-AA2A-6ACE15CCDF97} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
unlodctr.exepid process 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe 2020 unlodctr.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.exetaskkill.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Token: SeDebugPrivilege 2020 unlodctr.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeBackupPrivilege 1880 vssvc.exe Token: SeRestorePrivilege 1880 vssvc.exe Token: SeAuditPrivilege 1880 vssvc.exe Token: SeIncreaseQuotaPrivilege 1616 wmic.exe Token: SeSecurityPrivilege 1616 wmic.exe Token: SeTakeOwnershipPrivilege 1616 wmic.exe Token: SeLoadDriverPrivilege 1616 wmic.exe Token: SeSystemProfilePrivilege 1616 wmic.exe Token: SeSystemtimePrivilege 1616 wmic.exe Token: SeProfSingleProcessPrivilege 1616 wmic.exe Token: SeIncBasePriorityPrivilege 1616 wmic.exe Token: SeCreatePagefilePrivilege 1616 wmic.exe Token: SeBackupPrivilege 1616 wmic.exe Token: SeRestorePrivilege 1616 wmic.exe Token: SeShutdownPrivilege 1616 wmic.exe Token: SeDebugPrivilege 1616 wmic.exe Token: SeSystemEnvironmentPrivilege 1616 wmic.exe Token: SeRemoteShutdownPrivilege 1616 wmic.exe Token: SeUndockPrivilege 1616 wmic.exe Token: SeManageVolumePrivilege 1616 wmic.exe Token: 33 1616 wmic.exe Token: 34 1616 wmic.exe Token: 35 1616 wmic.exe Token: SeIncreaseQuotaPrivilege 1616 wmic.exe Token: SeSecurityPrivilege 1616 wmic.exe Token: SeTakeOwnershipPrivilege 1616 wmic.exe Token: SeLoadDriverPrivilege 1616 wmic.exe Token: SeSystemProfilePrivilege 1616 wmic.exe Token: SeSystemtimePrivilege 1616 wmic.exe Token: SeProfSingleProcessPrivilege 1616 wmic.exe Token: SeIncBasePriorityPrivilege 1616 wmic.exe Token: SeCreatePagefilePrivilege 1616 wmic.exe Token: SeBackupPrivilege 1616 wmic.exe Token: SeRestorePrivilege 1616 wmic.exe Token: SeShutdownPrivilege 1616 wmic.exe Token: SeDebugPrivilege 1616 wmic.exe Token: SeSystemEnvironmentPrivilege 1616 wmic.exe Token: SeRemoteShutdownPrivilege 1616 wmic.exe Token: SeUndockPrivilege 1616 wmic.exe Token: SeManageVolumePrivilege 1616 wmic.exe Token: 33 1616 wmic.exe Token: 34 1616 wmic.exe Token: 35 1616 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1508 iexplore.exe 604 iexplore.exe 604 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 604 iexplore.exe 604 iexplore.exe 1508 iexplore.exe 1508 iexplore.exe 604 iexplore.exe 604 iexplore.exe 844 IEXPLORE.EXE 1616 IEXPLORE.EXE 1616 IEXPLORE.EXE 844 IEXPLORE.EXE 900 IEXPLORE.EXE 900 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.exepid process 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe 2020 unlodctr.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeunlodctr.execmd.exeiexplore.exeiexplore.exedescription pid process target process PID 1752 wrote to memory of 2020 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe unlodctr.exe PID 1752 wrote to memory of 2020 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe unlodctr.exe PID 1752 wrote to memory of 2020 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe unlodctr.exe PID 1752 wrote to memory of 2020 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe unlodctr.exe PID 1752 wrote to memory of 1168 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 1752 wrote to memory of 1168 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 1752 wrote to memory of 1168 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 1752 wrote to memory of 1168 1752 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 2020 wrote to memory of 1436 2020 unlodctr.exe vssadmin.exe PID 2020 wrote to memory of 1436 2020 unlodctr.exe vssadmin.exe PID 2020 wrote to memory of 1436 2020 unlodctr.exe vssadmin.exe PID 2020 wrote to memory of 1436 2020 unlodctr.exe vssadmin.exe PID 1168 wrote to memory of 1316 1168 cmd.exe taskkill.exe PID 1168 wrote to memory of 1316 1168 cmd.exe taskkill.exe PID 1168 wrote to memory of 1316 1168 cmd.exe taskkill.exe PID 1168 wrote to memory of 1316 1168 cmd.exe taskkill.exe PID 1168 wrote to memory of 512 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 512 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 512 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 512 1168 cmd.exe PING.EXE PID 2020 wrote to memory of 1616 2020 unlodctr.exe wmic.exe PID 2020 wrote to memory of 1616 2020 unlodctr.exe wmic.exe PID 2020 wrote to memory of 1616 2020 unlodctr.exe wmic.exe PID 2020 wrote to memory of 1616 2020 unlodctr.exe wmic.exe PID 2020 wrote to memory of 1156 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1156 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1156 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1156 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1648 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1648 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1648 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 1648 2020 unlodctr.exe bcdedit.exe PID 2020 wrote to memory of 604 2020 unlodctr.exe iexplore.exe PID 2020 wrote to memory of 604 2020 unlodctr.exe iexplore.exe PID 2020 wrote to memory of 604 2020 unlodctr.exe iexplore.exe PID 2020 wrote to memory of 604 2020 unlodctr.exe iexplore.exe PID 2020 wrote to memory of 208 2020 unlodctr.exe NOTEPAD.EXE PID 2020 wrote to memory of 208 2020 unlodctr.exe NOTEPAD.EXE PID 2020 wrote to memory of 208 2020 unlodctr.exe NOTEPAD.EXE PID 2020 wrote to memory of 208 2020 unlodctr.exe NOTEPAD.EXE PID 604 wrote to memory of 1616 604 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 1616 604 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 1616 604 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 1616 604 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 900 604 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 900 604 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 900 604 iexplore.exe IEXPLORE.EXE PID 604 wrote to memory of 900 604 iexplore.exe IEXPLORE.EXE PID 2020 wrote to memory of 1732 2020 unlodctr.exe WScript.exe PID 2020 wrote to memory of 1732 2020 unlodctr.exe WScript.exe PID 2020 wrote to memory of 1732 2020 unlodctr.exe WScript.exe PID 2020 wrote to memory of 1732 2020 unlodctr.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exe"C:\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:209922 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x54c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0EF78D31-0BC9-11ED-AA2A-6ACE15CCDF97}.datFilesize
5KB
MD5a6afe325915bc063af1168de2dcec964
SHA11996c2da84209c7799de371abfa81c6b7e164bc4
SHA25631f4d9fa9a0b8096acd078183ce4f72786da00ebc56920db398f2098eb030e2e
SHA512f6a1870aebd3e05c1ebcfc2083bb89a524216ecc0e857a2ee110a9d9cca412faf408aee32edbbaf885e398dbe89357517fc0cb889b6f307a932bc6f5d4750de7
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F2265F1-0BC9-11ED-AA2A-6ACE15CCDF97}.datFilesize
4KB
MD5863de8f9e8c4c02da156c14f5974f2c1
SHA12dc774c02e70398b4354492564b22c88771bcb6f
SHA256f7fb94c2c4dc5a4745491555caeb4d44394a8fc919b0ff53377bb088ca201a93
SHA512b13f4fac1deda300b8421803f2e4133430695b2a2d479140779893f2c96be8b8d1e313a6ad1178f1f64bc6787e563c1b551db1356dc7b269b1f5d8597f8782ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnkFilesize
1KB
MD586d4790ac5c5a1761a160f98f3c47913
SHA112b0aa0ea84ebec6c31d0ff1c055aedfd84fa9fd
SHA25650d4bce60ad254b971de799ed56f15c8518acb2ff34d15f72f94176cd725d631
SHA512e692e2bd8f3c92cda606a3b3bfd4d5549e4c612b11afc52f5d70b6e438a1de6ebdda06abde6cf7f9badc9157669d0b2fb3731cafa29f01769bc7a8672bd730f8
-
C:\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
C:\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5eb609d55e99065ff8aa6e3d9246843b4
SHA1883348a9eb2795f461874c925f158e3a0e1d7a67
SHA25603ea703bf8cfad1e7c887a57dac8b62e25dba0ccc68571377112e0f0bb3be092
SHA51219fc00f58693c1793e917e8d09ee6ca119b99ab17d09e904915f40435e6bc96b5b915879e9c8624b85411016d1564592a4c3f0c7d078f0fe624536549091c0fd
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txtFilesize
10KB
MD50d6146a708df335840c2c7c7fa427114
SHA152558b35211a2dc13cdbc58b05ba8deb2ba1ffe7
SHA2566e324970b1212dcbf0cd0b3834c6c6ad07fb61b2b743cc7e43c49155df030108
SHA51291ab48bf40c83aad0061d004a04b5f2dfb8d0d833a86944ed72533994224d60190a712b183bef65dd82127f0c757cf97fc8050a25e9d9102ce7323de0580a708
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.urlFilesize
85B
MD5e07ec55020ee043c06f42d9529b85e32
SHA1c23f164d19663ce3c54245ee0161f8cf3ea53241
SHA256edac0bf2bf8522343578b84f9c4fe0d5a91ab1ddcf373d2cab18c7b3efbb9259
SHA5123e0eeadfd25a99508738331e496335dc467179b2238ffe8df4710b35122bfddbd4d36d63d6c7bfdf9a699029892378f8f53174a9c1a84bdddd46e98b3cafd396
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
\Users\Admin\AppData\Roaming\{3FDA8883-7C9D-C032-FD64-C2100C9BF2F3}\unlodctr.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
memory/208-76-0x000007FEFC341000-0x000007FEFC343000-memory.dmpFilesize
8KB
-
memory/208-75-0x0000000000000000-mapping.dmp
-
memory/512-67-0x0000000000000000-mapping.dmp
-
memory/1156-70-0x0000000000000000-mapping.dmp
-
memory/1168-62-0x0000000000000000-mapping.dmp
-
memory/1316-66-0x0000000000000000-mapping.dmp
-
memory/1436-65-0x0000000000000000-mapping.dmp
-
memory/1616-69-0x0000000000000000-mapping.dmp
-
memory/1648-71-0x0000000000000000-mapping.dmp
-
memory/1732-82-0x0000000000000000-mapping.dmp
-
memory/1752-73-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1752-63-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1752-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1752-60-0x00000000003A0000-0x00000000003BF000-memory.dmpFilesize
124KB
-
memory/2020-74-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2020-68-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2020-57-0x0000000000000000-mapping.dmp