Analysis
-
max time kernel
70s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2022, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe
Resource
win7-20220901-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe
-
Size
225KB
-
MD5
0d4247600f91e28bd390c91dd61ccd7f
-
SHA1
ba145483608a4ea567ed3c3c2b7e396098f5386a
-
SHA256
6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
-
SHA512
0c1f20f0cf0cc80f861d502ee93ab886028a8cd9f3d83c0ce681c583e1371ec76a6fcaf76171d5ec4e36c15fd3a0cbadd7b25f34b51190636b62e090a9e3be46
-
SSDEEP
6144:NR+1JmXKQwAPxGXJZcKV50DErN5xgTw7ozFz254W:NR+reKQwAgZ+D6GcoxfW
Score
10/10
Malware Config
Extracted
Path
C:\README.html
Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center"><<<Venus>>></h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>Download TOX CHAT(https://tox.chat/download.html)and write to TOX:25FB9AB6691BD61F085409F0C18C2BE6D47705A5731F7ECBF566BEC4404D5D7A643DAE16AB3F<br></strong><br><br>pWM/19mmS/2j4/hntZOpze6Buoh39PMhsGdj9R+HXA2WuLb1g/mcLBXbZ6HP5pmq
biAtz4qloO8So0FJ+kEmcmcZsViqtCdpbeF432exDMnsX07hmIOnn6CtKXY5dx00
ExnwTSmfje3qmJwbMd58vhPiMe13smSsUyHPmBpmtRcGRVOpeVbV8aeluDqIUoGo
N/6syat9dVESdwp4kiBk9G79cxgM5tURTjzwy49HzuhUpEFpTA8yLY6UuGz3VrSw
6gninUA2iF26iFqGAG8rC42J9AAsMeCGg43uRaLtTU8LNulXiWY6e7dVROuU34of
wU1HoM82ts8lP7hxmgLb8uHFNCeZ51QFzo6uS88oi4IQfWBy++AWlIxTO3tp/vnO
KSLHRkozC8FKuhdsQLXr62962FgohSnF+BJxKSWMUxkLW76YjAmWVao8LPphRhoi
OJPEGIAsDs6JGw/O0jnPUcCwY2mr+nWf/uPTv6EHocO2dlV/YECS3YdO/kNoJ+N2
ZHjBnrNWLowq9y9BDtRNYfwZGIsGv2SITqOGNVhE/ppfPo3nH0JhaZPBe+3+H4Tg
+YrHSollabBy+GF1muDByc9pIdiD7GFGJdUmEIcNbAKKilvTvddyHXcjg+NmKGTr
cRxvbD7bKGDoyw==
</p></div></body></html></html></body></html>
Emails
us:<br><strong><br>email:[email protected]<br>Download
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\34960028031972527219.hta
Ransom Note
<<<Venus>>>
We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT!
If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.
In this case we will not be able to help you.
Do not play with files.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us:
email:[email protected]
Download TOX CHAT(https://tox.chat/download.html)and write to TOX:25FB9AB6691BD61F085409F0C18C2BE6D47705A5731F7ECBF566BEC4404D5D7A643DAE16AB3F
Emails
email:[email protected]
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 6324 bcdedit.exe -
pid Process 6044 wbadmin.exe -
Executes dropped EXE 1 IoCs
pid Process 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ClearApprove.tif => C:\Users\Admin\Pictures\ClearApprove.tif.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File renamed C:\Users\Admin\Pictures\InitializeUnregister.tif => C:\Users\Admin\Pictures\InitializeUnregister.tif.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\SplitUnregister.png.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File renamed C:\Users\Admin\Pictures\StopResize.png => C:\Users\Admin\Pictures\StopResize.png.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File renamed C:\Users\Admin\Pictures\UpdateCheckpoint.tif => C:\Users\Admin\Pictures\UpdateCheckpoint.tif.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\UpdateCheckpoint.tif.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\ClearApprove.tif.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\InitializeUnregister.tif.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File renamed C:\Users\Admin\Pictures\SplitUnregister.png => C:\Users\Admin\Pictures\SplitUnregister.png.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\StopResize.png.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe = "C:\\Windows\\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe" 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Links\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Documents\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Videos\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Music\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification \Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Users\Public\Music\desktop.ini 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened (read-only) \??\F: 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\34960028031972527219.jpg" 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\PackageManagementDscUtilities.strings.psd1.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\eu.pak.DATA 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-A.Tests.ps1 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\manifest.json.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Analytics.DATA 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\MSFT_PackageManagement.strings.psd1.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_hu.json 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pe.dll.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-200.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SpeedSelectionSlider.xbf 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\msvcp140.dll 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-200.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\resources.pri 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoteToolbox-light.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mt.pak.DATA 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxSignature.p7x.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\default.jfc.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\msedgeupdateres_sr-Cyrl-RS.dll.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-40.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe File created C:\Windows\34960028031972527219.png 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5896 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 4308 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\34960028031972527219.png" 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.venus 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1796 PING.EXE -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Token: SeTcbPrivilege 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Token: SeTakeOwnershipPrivilege 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Token: SeSecurityPrivilege 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeBackupPrivilege 6080 wbengine.exe Token: SeRestorePrivilege 6080 wbengine.exe Token: SeSecurityPrivilege 6080 wbengine.exe Token: SeBackupPrivilege 4420 vssvc.exe Token: SeRestorePrivilege 4420 vssvc.exe Token: SeAuditPrivilege 4420 vssvc.exe Token: SeIncreaseQuotaPrivilege 6344 WMIC.exe Token: SeSecurityPrivilege 6344 WMIC.exe Token: SeTakeOwnershipPrivilege 6344 WMIC.exe Token: SeLoadDriverPrivilege 6344 WMIC.exe Token: SeSystemProfilePrivilege 6344 WMIC.exe Token: SeSystemtimePrivilege 6344 WMIC.exe Token: SeProfSingleProcessPrivilege 6344 WMIC.exe Token: SeIncBasePriorityPrivilege 6344 WMIC.exe Token: SeCreatePagefilePrivilege 6344 WMIC.exe Token: SeBackupPrivilege 6344 WMIC.exe Token: SeRestorePrivilege 6344 WMIC.exe Token: SeShutdownPrivilege 6344 WMIC.exe Token: SeDebugPrivilege 6344 WMIC.exe Token: SeSystemEnvironmentPrivilege 6344 WMIC.exe Token: SeRemoteShutdownPrivilege 6344 WMIC.exe Token: SeUndockPrivilege 6344 WMIC.exe Token: SeManageVolumePrivilege 6344 WMIC.exe Token: 33 6344 WMIC.exe Token: 34 6344 WMIC.exe Token: 35 6344 WMIC.exe Token: 36 6344 WMIC.exe Token: SeIncreaseQuotaPrivilege 6344 WMIC.exe Token: SeSecurityPrivilege 6344 WMIC.exe Token: SeTakeOwnershipPrivilege 6344 WMIC.exe Token: SeLoadDriverPrivilege 6344 WMIC.exe Token: SeSystemProfilePrivilege 6344 WMIC.exe Token: SeSystemtimePrivilege 6344 WMIC.exe Token: SeProfSingleProcessPrivilege 6344 WMIC.exe Token: SeIncBasePriorityPrivilege 6344 WMIC.exe Token: SeCreatePagefilePrivilege 6344 WMIC.exe Token: SeBackupPrivilege 6344 WMIC.exe Token: SeRestorePrivilege 6344 WMIC.exe Token: SeShutdownPrivilege 6344 WMIC.exe Token: SeDebugPrivilege 6344 WMIC.exe Token: SeSystemEnvironmentPrivilege 6344 WMIC.exe Token: SeRemoteShutdownPrivilege 6344 WMIC.exe Token: SeUndockPrivilege 6344 WMIC.exe Token: SeManageVolumePrivilege 6344 WMIC.exe Token: 33 6344 WMIC.exe Token: 34 6344 WMIC.exe Token: 35 6344 WMIC.exe Token: 36 6344 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1044 wrote to memory of 4160 1044 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 82 PID 1044 wrote to memory of 4160 1044 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 82 PID 1044 wrote to memory of 4160 1044 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 82 PID 1044 wrote to memory of 4712 1044 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 84 PID 1044 wrote to memory of 4712 1044 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 84 PID 4160 wrote to memory of 4688 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 87 PID 4160 wrote to memory of 4688 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 87 PID 4712 wrote to memory of 1796 4712 cmd.exe 89 PID 4712 wrote to memory of 1796 4712 cmd.exe 89 PID 4688 wrote to memory of 4308 4688 cmd.exe 90 PID 4688 wrote to memory of 4308 4688 cmd.exe 90 PID 4160 wrote to memory of 5988 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 98 PID 4160 wrote to memory of 5988 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 98 PID 5988 wrote to memory of 6044 5988 cmd.exe 100 PID 5988 wrote to memory of 6044 5988 cmd.exe 100 PID 5988 wrote to memory of 5896 5988 cmd.exe 104 PID 5988 wrote to memory of 5896 5988 cmd.exe 104 PID 4160 wrote to memory of 3364 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 107 PID 4160 wrote to memory of 3364 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 107 PID 4160 wrote to memory of 3364 4160 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe 107 PID 5988 wrote to memory of 6324 5988 cmd.exe 112 PID 5988 wrote to memory of 6324 5988 cmd.exe 112 PID 5988 wrote to memory of 6344 5988 cmd.exe 113 PID 5988 wrote to memory of 6344 5988 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe"C:\Users\Admin\AppData\Local\Temp\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe"C:\Windows\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe" g g g o n e1232⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\System32\cmd.exe/C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\system32\taskkill.exetaskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
-
C:\Windows\System32\cmd.exe/C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE3⤵
- Suspicious use of WriteProcessMemory
PID:5988 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:6044
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:5896
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} nx AlwaysOff4⤵
- Modifies boot configuration data using bcdedit
PID:6324
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6344
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\34960028031972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:3364
-
-
-
C:\Windows\System32\cmd.exe/c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:1796
-
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6124
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2528
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD527f18e238ada4033513e6441e0bb3574
SHA17683f1096ced4fda776082eeb38591d5e195c263
SHA25615d27d96f1d87da0e93d7eacdb0003068535e2946cee3b05fe5b8dd3a3009b63
SHA512227e758793b8a97de49a7d4758c599a5b47740a16047ced811a00de57305bacaf9420e55963fdc25041e0ffc7bd565cd07c0ed8eac8d602eb5ba3640b7a50e3a
-
Filesize
225KB
MD50d4247600f91e28bd390c91dd61ccd7f
SHA1ba145483608a4ea567ed3c3c2b7e396098f5386a
SHA2566d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
SHA5120c1f20f0cf0cc80f861d502ee93ab886028a8cd9f3d83c0ce681c583e1371ec76a6fcaf76171d5ec4e36c15fd3a0cbadd7b25f34b51190636b62e090a9e3be46
-
Filesize
225KB
MD50d4247600f91e28bd390c91dd61ccd7f
SHA1ba145483608a4ea567ed3c3c2b7e396098f5386a
SHA2566d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
SHA5120c1f20f0cf0cc80f861d502ee93ab886028a8cd9f3d83c0ce681c583e1371ec76a6fcaf76171d5ec4e36c15fd3a0cbadd7b25f34b51190636b62e090a9e3be46