55aa5e191a82d31ff9eb2ac6937895dec35c248cd8b346c50e1ba24e8eaba7b3

Analysis

max time kernel
52s
max time network
72s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/10/2022, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff17_load_priority_f.exe
Size

385KB
MD5

8c50ab521ac15859a58e67f3f763e9d2
SHA1

80c15b88d6556fb8462b9a89ee88c38db7b5b3ff
SHA256

55aa5e191a82d31ff9eb2ac6937895dec35c248cd8b346c50e1ba24e8eaba7b3
SHA512

2c61b389d75845c14d889cb7977b3d61efc0fda88f3722a602694bac3fe9d63d2f7b439c4a948d20f4a81fe910ea2fb3166d24ae3b989139ebb053e0097481f5
SSDEEP

3072:QQD/XygRxLw/mxA+PwkvhHB7V4hmszU1akCwVMgTorYkxHXEh8jE63uw7E2m4huP:QArRpw/mxA+ZxB54q/VrkHX2jA+GI3

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\UseOpen.tiff	certutil.exe
File opened for modification	C:\Users\Admin\Pictures\UseOpen.tiff	certutil.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\desktop.ini	certutil.exe
File created	C:\Users\Admin\Music\desktop.ini	certutil.exe
File created	C:\Users\Admin\Pictures\desktop.ini	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	aff17_load_priority_f.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3432	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	aff17_load_priority_f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4772	3176	aff17_load_priority_f.exe	67
PID 3176 wrote to memory of 4772	3176	aff17_load_priority_f.exe	67
PID 3176 wrote to memory of 1812	3176	aff17_load_priority_f.exe	69
PID 3176 wrote to memory of 1812	3176	aff17_load_priority_f.exe	69
PID 3176 wrote to memory of 1568	3176	aff17_load_priority_f.exe	71
PID 3176 wrote to memory of 1568	3176	aff17_load_priority_f.exe	71
PID 3176 wrote to memory of 4876	3176	aff17_load_priority_f.exe	73
PID 3176 wrote to memory of 4876	3176	aff17_load_priority_f.exe	73
PID 3176 wrote to memory of 4204	3176	aff17_load_priority_f.exe	75
PID 3176 wrote to memory of 4204	3176	aff17_load_priority_f.exe	75
PID 3176 wrote to memory of 940	3176	aff17_load_priority_f.exe	77
PID 3176 wrote to memory of 940	3176	aff17_load_priority_f.exe	77
PID 3176 wrote to memory of 2916	3176	aff17_load_priority_f.exe	79
PID 3176 wrote to memory of 2916	3176	aff17_load_priority_f.exe	79
PID 3176 wrote to memory of 3356	3176	aff17_load_priority_f.exe	81
PID 3176 wrote to memory of 3356	3176	aff17_load_priority_f.exe	81
PID 3176 wrote to memory of 4904	3176	aff17_load_priority_f.exe	84
PID 3176 wrote to memory of 4904	3176	aff17_load_priority_f.exe	84
PID 3176 wrote to memory of 4420	3176	aff17_load_priority_f.exe	86
PID 3176 wrote to memory of 4420	3176	aff17_load_priority_f.exe	86
PID 3176 wrote to memory of 4012	3176	aff17_load_priority_f.exe	88
PID 3176 wrote to memory of 4012	3176	aff17_load_priority_f.exe	88
PID 3176 wrote to memory of 5116	3176	aff17_load_priority_f.exe	90
PID 3176 wrote to memory of 5116	3176	aff17_load_priority_f.exe	90
PID 3176 wrote to memory of 3968	3176	aff17_load_priority_f.exe	92
PID 3176 wrote to memory of 3968	3176	aff17_load_priority_f.exe	92
PID 3176 wrote to memory of 3152	3176	aff17_load_priority_f.exe	94
PID 3176 wrote to memory of 3152	3176	aff17_load_priority_f.exe	94
PID 3176 wrote to memory of 4604	3176	aff17_load_priority_f.exe	96
PID 3176 wrote to memory of 4604	3176	aff17_load_priority_f.exe	96
PID 3176 wrote to memory of 4652	3176	aff17_load_priority_f.exe	98
PID 3176 wrote to memory of 4652	3176	aff17_load_priority_f.exe	98
PID 3176 wrote to memory of 4992	3176	aff17_load_priority_f.exe	100
PID 3176 wrote to memory of 4992	3176	aff17_load_priority_f.exe	100
PID 3176 wrote to memory of 3696	3176	aff17_load_priority_f.exe	102
PID 3176 wrote to memory of 3696	3176	aff17_load_priority_f.exe	102
PID 3176 wrote to memory of 4372	3176	aff17_load_priority_f.exe	104
PID 3176 wrote to memory of 4372	3176	aff17_load_priority_f.exe	104
PID 3176 wrote to memory of 4684	3176	aff17_load_priority_f.exe	106
PID 3176 wrote to memory of 4684	3176	aff17_load_priority_f.exe	106
PID 3176 wrote to memory of 4520	3176	aff17_load_priority_f.exe	108
PID 3176 wrote to memory of 4520	3176	aff17_load_priority_f.exe	108
PID 3176 wrote to memory of 4428	3176	aff17_load_priority_f.exe	110
PID 3176 wrote to memory of 4428	3176	aff17_load_priority_f.exe	110
PID 3176 wrote to memory of 4580	3176	aff17_load_priority_f.exe	112
PID 3176 wrote to memory of 4580	3176	aff17_load_priority_f.exe	112
PID 3176 wrote to memory of 1160	3176	aff17_load_priority_f.exe	114
PID 3176 wrote to memory of 1160	3176	aff17_load_priority_f.exe	114
PID 3176 wrote to memory of 1396	3176	aff17_load_priority_f.exe	116
PID 3176 wrote to memory of 1396	3176	aff17_load_priority_f.exe	116
PID 3176 wrote to memory of 860	3176	aff17_load_priority_f.exe	118
PID 3176 wrote to memory of 860	3176	aff17_load_priority_f.exe	118
PID 3176 wrote to memory of 420	3176	aff17_load_priority_f.exe	120
PID 3176 wrote to memory of 420	3176	aff17_load_priority_f.exe	120
PID 3176 wrote to memory of 212	3176	aff17_load_priority_f.exe	122
PID 3176 wrote to memory of 212	3176	aff17_load_priority_f.exe	122
PID 3176 wrote to memory of 2016	3176	aff17_load_priority_f.exe	124
PID 3176 wrote to memory of 2016	3176	aff17_load_priority_f.exe	124
PID 3176 wrote to memory of 1612	3176	aff17_load_priority_f.exe	126
PID 3176 wrote to memory of 1612	3176	aff17_load_priority_f.exe	126
PID 3176 wrote to memory of 648	3176	aff17_load_priority_f.exe	128
PID 3176 wrote to memory of 648	3176	aff17_load_priority_f.exe	128
PID 3176 wrote to memory of 1688	3176	aff17_load_priority_f.exe	130
PID 3176 wrote to memory of 1688	3176	aff17_load_priority_f.exe	130

C:\Users\Admin\AppData\Local\Temp\aff17_load_priority_f.exe
"C:\Users\Admin\AppData\Local\Temp\aff17_load_priority_f.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ApproveGrant.WTV" "C:\Users\Admin\Desktop\ApproveGrant.WTV"
  2⤵
  PID:4772
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\BackupFind.vbs" "C:\Users\Admin\Desktop\BackupFind.vbs"
  2⤵
  PID:1812
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\CompleteDisconnect.ppt" "C:\Users\Admin\Desktop\CompleteDisconnect.ppt"
  2⤵
  PID:1568
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\CompressRead.mp3" "C:\Users\Admin\Desktop\CompressRead.mp3"
  2⤵
  PID:4876
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ConfirmProtect.vsd" "C:\Users\Admin\Desktop\ConfirmProtect.vsd"
  2⤵
  PID:4204
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\CopyFormat.fon" "C:\Users\Admin\Desktop\CopyFormat.fon"
  2⤵
  PID:940
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\DebugCompare.vsdx" "C:\Users\Admin\Desktop\DebugCompare.vsdx"
  2⤵
  PID:2916
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\desktop.ini" "C:\Users\Admin\Desktop\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:3356
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\MoveWrite.xlsb" "C:\Users\Admin\Desktop\MoveWrite.xlsb"
  2⤵
  PID:4904
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\NewMeasure.mp3" "C:\Users\Admin\Desktop\NewMeasure.mp3"
  2⤵
  PID:4420
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\NewProtect.html" "C:\Users\Admin\Desktop\NewProtect.html"
  2⤵
  PID:4012
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\PingEdit.xlsb" "C:\Users\Admin\Desktop\PingEdit.xlsb"
  2⤵
  PID:5116
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\PingRepair.AAC" "C:\Users\Admin\Desktop\PingRepair.AAC"
  2⤵
  PID:3968
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\PublishOut.pptm" "C:\Users\Admin\Desktop\PublishOut.pptm"
  2⤵
  PID:3152
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\PushDisable.php" "C:\Users\Admin\Desktop\PushDisable.php"
  2⤵
  PID:4604
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ReadRestore.png" "C:\Users\Admin\Desktop\ReadRestore.png"
  2⤵
  PID:4652
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\RemoveExpand.svgz" "C:\Users\Admin\Desktop\RemoveExpand.svgz"
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\RepairConvertTo.temp" "C:\Users\Admin\Desktop\RepairConvertTo.temp"
  2⤵
  PID:3696
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\RevokeExport.tiff" "C:\Users\Admin\Desktop\RevokeExport.tiff"
  2⤵
  PID:4372
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\SetRequest.vdx" "C:\Users\Admin\Desktop\SetRequest.vdx"
  2⤵
  PID:4684
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ShowFormat.vbe" "C:\Users\Admin\Desktop\ShowFormat.vbe"
  2⤵
  PID:4520
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\SplitCompare.rmi" "C:\Users\Admin\Desktop\SplitCompare.rmi"
  2⤵
  PID:4428
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\SplitComplete.scf" "C:\Users\Admin\Desktop\SplitComplete.scf"
  2⤵
  PID:4580
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\SplitFormat.m3u" "C:\Users\Admin\Desktop\SplitFormat.m3u"
  2⤵
  PID:1160
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\StepAdd.jpeg" "C:\Users\Admin\Desktop\StepAdd.jpeg"
  2⤵
  PID:1396
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\UndoComplete.rm" "C:\Users\Admin\Desktop\UndoComplete.rm"
  2⤵
  PID:860
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\UndoOpen.bin" "C:\Users\Admin\Desktop\UndoOpen.bin"
  2⤵
  PID:420
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\UnregisterPush.xps" "C:\Users\Admin\Desktop\UnregisterPush.xps"
  2⤵
  PID:212
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\WaitRedo.xlsm" "C:\Users\Admin\Desktop\WaitRedo.xlsm"
  2⤵
  PID:2016
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\BackupExport.3gp2" "C:\Users\Admin\Music\BackupExport.3gp2"
  2⤵
  PID:1612
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\BlockEdit.au3" "C:\Users\Admin\Music\BlockEdit.au3"
  2⤵
  PID:648
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\BlockNew.vstm" "C:\Users\Admin\Music\BlockNew.vstm"
  2⤵
  PID:1688
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\CheckpointExpand.vssx" "C:\Users\Admin\Music\CheckpointExpand.vssx"
  2⤵
  PID:1660
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\CheckpointTest.fon" "C:\Users\Admin\Music\CheckpointTest.fon"
  2⤵
  PID:2436
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\CompressLock.bat" "C:\Users\Admin\Music\CompressLock.bat"
  2⤵
  PID:4468
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ConfirmPublish.mp3" "C:\Users\Admin\Music\ConfirmPublish.mp3"
  2⤵
  PID:1864
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ConfirmWrite.hta" "C:\Users\Admin\Music\ConfirmWrite.hta"
  2⤵
  PID:4868
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ConfirmWrite.ico" "C:\Users\Admin\Music\ConfirmWrite.ico"
  2⤵
  PID:5096
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\desktop.ini" "C:\Users\Admin\Music\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:3620
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\DismountInvoke.m4v" "C:\Users\Admin\Music\DismountInvoke.m4v"
  2⤵
  PID:3604
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ExitConfirm.svg" "C:\Users\Admin\Music\ExitConfirm.svg"
  2⤵
  PID:4396
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\FindPublish.wax" "C:\Users\Admin\Music\FindPublish.wax"
  2⤵
  PID:4272
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\GroupConfirm.xlsx" "C:\Users\Admin\Music\GroupConfirm.xlsx"
  2⤵
  PID:3936
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\LimitRead.mht" "C:\Users\Admin\Music\LimitRead.mht"
  2⤵
  PID:5008
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\OutDebug.mp4" "C:\Users\Admin\Music\OutDebug.mp4"
  2⤵
  PID:3540
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\OutStart.rm" "C:\Users\Admin\Music\OutStart.rm"
  2⤵
  PID:3984
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\PublishUnregister.wma" "C:\Users\Admin\Music\PublishUnregister.wma"
  2⤵
  PID:3600
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RepairUninstall.wmv" "C:\Users\Admin\Music\RepairUninstall.wmv"
  2⤵
  PID:5060
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ResizeProtect.bin" "C:\Users\Admin\Music\ResizeProtect.bin"
  2⤵
  PID:4920
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RestoreCheckpoint.mpv2" "C:\Users\Admin\Music\RestoreCheckpoint.mpv2"
  2⤵
  PID:4352
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RestoreCompare.xlsx" "C:\Users\Admin\Music\RestoreCompare.xlsx"
  2⤵
  PID:4392
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RestoreOut.vsw" "C:\Users\Admin\Music\RestoreOut.vsw"
  2⤵
  PID:2748
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RevokeSubmit.potm" "C:\Users\Admin\Music\RevokeSubmit.potm"
  2⤵
  PID:4224
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ShowOptimize.mov" "C:\Users\Admin\Music\ShowOptimize.mov"
  2⤵
  PID:364
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\StepExpand.ram" "C:\Users\Admin\Music\StepExpand.ram"
  2⤵
  PID:1052
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\StopRead.eps" "C:\Users\Admin\Music\StopRead.eps"
  2⤵
  PID:592
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\SubmitBackup.ogg" "C:\Users\Admin\Music\SubmitBackup.ogg"
  2⤵
  PID:3276
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\SubmitSearch.tiff" "C:\Users\Admin\Music\SubmitSearch.tiff"
  2⤵
  PID:2240
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\SwitchShow.edrwx" "C:\Users\Admin\Music\SwitchShow.edrwx"
  2⤵
  PID:4900
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\SyncInitialize.wma" "C:\Users\Admin\Music\SyncInitialize.wma"
  2⤵
  PID:752
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\UninstallCheckpoint.xltx" "C:\Users\Admin\Music\UninstallCheckpoint.xltx"
  2⤵
  PID:2184
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\WaitCompare.DVR" "C:\Users\Admin\Music\WaitCompare.DVR"
  2⤵
  PID:2628
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\BackupUndo.wmf" "C:\Users\Admin\Pictures\BackupUndo.wmf"
  2⤵
  PID:3824
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ConnectStart.svg" "C:\Users\Admin\Pictures\ConnectStart.svg"
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\desktop.ini" "C:\Users\Admin\Pictures\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:2132
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\GrantDismount.dxf" "C:\Users\Admin\Pictures\GrantDismount.dxf"
  2⤵
  PID:4760
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\InitializeOptimize.pcx" "C:\Users\Admin\Pictures\InitializeOptimize.pcx"
  2⤵
  PID:4304
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\LimitSend.raw" "C:\Users\Admin\Pictures\LimitSend.raw"
  2⤵
  PID:1460
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MountAdd.tif" "C:\Users\Admin\Pictures\MountAdd.tif"
  2⤵
  PID:3524
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MountJoin.ico" "C:\Users\Admin\Pictures\MountJoin.ico"
  2⤵
  PID:3928
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\My Wallpaper.jpg" "C:\Users\Admin\Pictures\My Wallpaper.jpg"
  2⤵
  PID:5004
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\OutDisconnect.cr2" "C:\Users\Admin\Pictures\OutDisconnect.cr2"
  2⤵
  PID:3612
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\PingSearch.svgz" "C:\Users\Admin\Pictures\PingSearch.svgz"
  2⤵
  PID:4948
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ReadRequest.ico" "C:\Users\Admin\Pictures\ReadRequest.ico"
  2⤵
  PID:4348
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\RenameConvertTo.png" "C:\Users\Admin\Pictures\RenameConvertTo.png"
  2⤵
  PID:4640
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\RequestExpand.pcx" "C:\Users\Admin\Pictures\RequestExpand.pcx"
  2⤵
  PID:5088
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ResumeResolve.eps" "C:\Users\Admin\Pictures\ResumeResolve.eps"
  2⤵
  PID:4628
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\StopProtect.svgz" "C:\Users\Admin\Pictures\StopProtect.svgz"
  2⤵
  PID:4536
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\StopSelect.bmp" "C:\Users\Admin\Pictures\StopSelect.bmp"
  2⤵
  PID:4460
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\UseOpen.tiff" "C:\Users\Admin\Pictures\UseOpen.tiff"
  2⤵
  - Modifies extensions of user files
  PID:1644
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ApproveSend.csv" "C:\Users\Admin\Documents\ApproveSend.csv"
  2⤵
  PID:1060
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Are.docx" "C:\Users\Admin\Documents\Are.docx"
  2⤵
  PID:1020
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\BlockConvertTo.vsw" "C:\Users\Admin\Documents\BlockConvertTo.vsw"
  2⤵
  PID:1164
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\CheckpointCopy.xls" "C:\Users\Admin\Documents\CheckpointCopy.xls"
  2⤵
  PID:3344
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ClearMount.dotx" "C:\Users\Admin\Documents\ClearMount.dotx"
  2⤵
  PID:2252
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ConvertSubmit.html" "C:\Users\Admin\Documents\ConvertSubmit.html"
  2⤵
  PID:2068
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\DebugSearch.mpp" "C:\Users\Admin\Documents\DebugSearch.mpp"
  2⤵
  PID:2888
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\desktop.ini" "C:\Users\Admin\Documents\desktop.ini"
  2⤵
  PID:2424
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\EditInvoke.docx" "C:\Users\Admin\Documents\EditInvoke.docx"
  2⤵
  PID:4544
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Files.docx" "C:\Users\Admin\Documents\Files.docx"
  2⤵
  PID:4252
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\FindGroup.vstx" "C:\Users\Admin\Documents\FindGroup.vstx"
  2⤵
  PID:4708
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\FormatExpand.vssm" "C:\Users\Admin\Documents\FormatExpand.vssm"
  2⤵
  PID:4864
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\FormatUninstall.wps" "C:\Users\Admin\Documents\FormatUninstall.wps"
  2⤵
  PID:3460
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Opened.docx" "C:\Users\Admin\Documents\Opened.docx"
  2⤵
  PID:1084
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\OptimizeStep.vdw" "C:\Users\Admin\Documents\OptimizeStep.vdw"
  2⤵
  PID:4924
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\PublishConvert.ppt" "C:\Users\Admin\Documents\PublishConvert.ppt"
  2⤵
  PID:3964
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\PublishPop.vst" "C:\Users\Admin\Documents\PublishPop.vst"
  2⤵
  PID:4956
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ReadWait.wps" "C:\Users\Admin\Documents\ReadWait.wps"
  2⤵
  PID:3168
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Recently.docx" "C:\Users\Admin\Documents\Recently.docx"
  2⤵
  PID:5076
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RedoCompress.xlsb" "C:\Users\Admin\Documents\RedoCompress.xlsb"
  2⤵
  PID:4656
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RemoveJoin.potx" "C:\Users\Admin\Documents\RemoveJoin.potx"
  2⤵
  PID:4552
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RequestComplete.odp" "C:\Users\Admin\Documents\RequestComplete.odp"
  2⤵
  PID:4436
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SaveBackup.pdf" "C:\Users\Admin\Documents\SaveBackup.pdf"
  2⤵
  PID:904
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SetRestart.docx" "C:\Users\Admin\Documents\SetRestart.docx"
  2⤵
  PID:1704
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SkipClose.wps" "C:\Users\Admin\Documents\SkipClose.wps"
  2⤵
  PID:508
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SplitSkip.xls" "C:\Users\Admin\Documents\SplitSkip.xls"
  2⤵
  PID:3336
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SplitUninstall.rtf" "C:\Users\Admin\Documents\SplitUninstall.rtf"
  2⤵
  PID:344
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SwitchRegister.xlsb" "C:\Users\Admin\Documents\SwitchRegister.xlsb"
  2⤵
  PID:1696
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\These.docx" "C:\Users\Admin\Documents\These.docx"
  2⤵
  PID:2064
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\UnblockResize.vst" "C:\Users\Admin\Documents\UnblockResize.vst"
  2⤵
  PID:2704
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\UnlockDisable.odp" "C:\Users\Admin\Documents\UnlockDisable.odp"
  2⤵
  PID:4944
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\UnlockRestore.dotm" "C:\Users\Admin\Documents\UnlockRestore.dotm"
  2⤵
  PID:4780
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\UnprotectMerge.potm" "C:\Users\Admin\Documents\UnprotectMerge.potm"
  2⤵
  PID:4380
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_DECRYPT_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HOW_TO_DECRYPT_FILES.txt

Filesize
639B

MD5
135b32321842f6a758c190bab5f635c8

SHA1
845d3bb016e37f205bf1de2b19052a31b3eeb12a

SHA256
0e88f1c0e8c73fb4eaddec79e1a5d7ca98e50b15d9a351144b57fa51aeec14af

SHA512
0828e1ac1c058db111cb2425348c0feb05136989ac231be630b811b6632ab62f3deb75f45c297cf9e61e563ae921d8888fb8ae3237a1a7ad9d3aa88bad65fa71

Download Submit
memory/3176-115-0x00007FFF54EB0000-0x00007FFF558E3000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads