Analysis
-
max time kernel
109s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
Resource
win10v2004-20220812-en
General
-
Target
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
-
Size
423KB
-
MD5
5aa991c89a6564a3c6351052e157f9d8
-
SHA1
f481e3cd126a429c33568070c2ff56d27c41a8ce
-
SHA256
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979
-
SHA512
a2c84b4d4a2c27a1baee0fbed0d7b24ca1b1e2ddde6caad078236ecd931e0a2095fe0561ecc57e83830c4f52462d054d10105cc0aafe657c822515da5ec0f21b
-
SSDEEP
6144:H8JsLcpjzTDDmHayakLkrb4NSarQWtT+tG1XRHOGU9gXIodHShK:8zxzTDWikLSb4NS7ET+tG1X/Fh
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos \Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos behavioral1/memory/2036-62-0x0000000001170000-0x000000000119A000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos behavioral1/memory/1064-66-0x0000000000AA0000-0x0000000000ACA000-memory.dmp family_chaos -
Detected Xorist Ransomware 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1904 bcdedit.exe 940 bcdedit.exe -
Processes:
wbadmin.exepid process 1916 wbadmin.exe -
Drops file in Drivers directory 8 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 1.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 1.exe -
Executes dropped EXE 3 IoCs
Processes:
2.exesvchost.exe1.exepid process 2036 2.exe 1064 svchost.exe 560 1.exe -
Drops startup file 5 IoCs
Processes:
svchost.exe1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???????????? ?????.txt???????????? ?????.txt 1.exe -
Loads dropped DLL 8 IoCs
Processes:
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exepid process 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" 1.exe -
Drops desktop.ini file(s) 33 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe -
Drops file in System32 directory 64 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\SysWOW64\com\en-US\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\000b\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt 1.exe File created C:\Windows\SysWOW64\MUI\0407\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_ISE.help.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_execution_policies.help.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj4.inf_amd64_neutral_c150a510c4b85ce7\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_neutral_b64bd08009e7444f\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\he-IL\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE 1.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp 1.exe File opened for modification C:\Windows\SysWOW64\sfc.exe 1.exe File created C:\Windows\SysWOW64\WCN\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\slmgr\0411\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt 1.exe File created C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseN\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe 1.exe File created C:\Windows\System32\DriverStore\en-US\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\about_BITS_Cmdlets.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\PING.EXE 1.exe File opened for modification C:\Windows\SysWOW64\Robocopy.exe 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdk.inf_amd64_neutral_e567adb271831b5d\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_requirements.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_job_details.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt 1.exe File created C:\Windows\SysWOW64\com\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_neutral_3ef33c750e6308ce\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt 1.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt 1.exe File created C:\Windows\SysWOW64\de\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\de-DE\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\dot4.inf_amd64_neutral_b89cfac15ccb2fba\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\HOW TO DECRYPT FILES.txt 1.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
svchost.exe1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cojkx2bm0.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgkoacfhkmobdgil.bmp" 1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1.exedescription ioc process File created C:\Program Files\Common Files\System\Ole DB\ja-JP\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png 1.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat 1.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG 1.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\Java\jre7\lib\ext\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp 1.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 1.exe File created C:\Program Files\Java\jre7\lib\images\cursors\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\THMBNAIL.PNG 1.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif 1.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF 1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP 1.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\background.gif 1.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 1.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt 1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg 1.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe 1.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html 1.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE 1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png 1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png 1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png 1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\HOW TO DECRYPT FILES.txt 1.exe -
Drops file in Windows directory 64 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\winsxs\x86_microsoft-windows-mapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ccd449383e84c7b6\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft-windows-netplwiz-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fdbc420d767a65e5\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget-insidebar_31bf3856ad364e35_6.1.7600.16385_none_04ef2896fc362397\bg_sidebar.png 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a0e46b641d0379\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0fcbd53df82fc1c\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-removablestorage-adm_31bf3856ad364e35_6.1.7600.16385_none_e338abd12c63dcf0\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-smbserver-netapi_31bf3856ad364e35_6.1.7601.17514_none_9ecc78ac672b15fc\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_netfx35wpf-microsoft_winfx_targets_31bf3856ad364e35_6.1.7600.16385_none_f1ec14daf9881833\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_nvraid.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b6dd851e1a7a5c0a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_11.2.9600.16428_none_0a3fe92b38dd8c45\RegisterIEPKEYs.exe 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a164febaa701b3c2\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2fc20d555b85e7a6\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrmEngine.exe 1.exe File created C:\Windows\winsxs\wow64_microsoft-windows-dot3svc-mof_31bf3856ad364e35_6.1.7601.17514_none_fed5505597978279\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft-windows-mfc40.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a5ce5327d7b65f5a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_d4259ed3b16ed82a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..alization.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3af76a53e79592a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0b87e3eafadb992f\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..tcard-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_157cb486e2919499\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c67636df827f190\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\button_MCELogo_mouseout.png 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mail-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_852f814c8eaeca66\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_755f24abe639fb46\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_fi-fi_f70334504d66c1b8\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Boot\PCAT\hu-HU\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..premiumed.resources_31bf3856ad364e35_6.1.7600.16385_en-us_092ae311c7da63a9\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-wmicompatibility_31bf3856ad364e35_6.1.7600.16385_none_51f754e7e6dc79fe\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb806fad92a5e1bd\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_ql40xx2.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f6633d985781b5f0\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\msil_system.workflow.runtime_31bf3856ad364e35_6.1.7601.17514_none_da2690491d9ef8ed\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe 1.exe File created C:\Windows\winsxs\amd64_mdmnis3t.inf_31bf3856ad364e35_6.1.7600.16385_none_1a28a36619b5178f\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_29d12cdb138d0965\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f36e4f388e096ead\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..-ehepgres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_613a560cdeeb69b6\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-7.htm 1.exe File created C:\Windows\winsxs\amd64_netfx-system.management_b03f5f7f11d50a3a_6.1.7601.17514_none_f6397b438cd5e46b\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..g-adminui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b7f7d1d2c65e2504\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_it-it_970c208e9f8f3615\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WMI_Cmdlets.help.txt 1.exe File created C:\Windows\winsxs\x86_netfx35linq-system...del.dataannotations_31bf3856ad364e35_6.1.7601.17514_none_14c03c6a5757b547\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..repairbde.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_79b8c8362b698dd6\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_profiles.help.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fc92234d1c61b08a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gpupipeline_31bf3856ad364e35_6.1.7601.17514_none_5a5226e685faba67\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ce17f80cc8e9b4a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-w3svc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fafddf5efddc7d12\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..smcnative.resources_31bf3856ad364e35_6.1.7600.16385_es-es_90f99d9fd7261bad\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_wsdapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ce3ddc5c903d7f36\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\Media\Raga\Windows Hardware Fail.wav 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..-resolver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b295c87a0acc57b9\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-ping-provider_31bf3856ad364e35_6.1.7600.16385_none_a77af0ebe7f8a1cb\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_mdmhayes.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_59db672b5c128b4b\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00010401_31bf3856ad364e35_6.1.7600.16385_none_e65559fb7079dd6a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000440_31bf3856ad364e35_6.1.7600.16385_none_4d19ddf6b292e429\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad18f93fc713db2c4b29b25116c13bd8\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c56dd7fc3e6288e3\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sctasks.resources_31bf3856ad364e35_6.1.7600.16385_de-de_79fda6febb58c843\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_eb88050a81e35fb5\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..providers.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6e8c38d9c1cd5cd\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\winsxs\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a644046f764477ee\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\inf\ServiceModelOperation 3.0.0.0\0C0A\HOW TO DECRYPT FILES.txt 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1800 vssadmin.exe -
Modifies registry class 10 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn\ = "ZRMHJJVQXVFBFMX" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe,0" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\ = "CRYPTED!" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX 1.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 1064 svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2.exesvchost.exepid process 2036 2.exe 1064 svchost.exe 1064 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 2036 2.exe Token: SeDebugPrivilege 1064 svchost.exe Token: SeBackupPrivilege 1236 vssvc.exe Token: SeRestorePrivilege 1236 vssvc.exe Token: SeAuditPrivilege 1236 vssvc.exe Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: SeBackupPrivilege 768 wbengine.exe Token: SeRestorePrivilege 768 wbengine.exe Token: SeSecurityPrivilege 768 wbengine.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe2.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1280 wrote to memory of 2036 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 2.exe PID 1280 wrote to memory of 2036 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 2.exe PID 1280 wrote to memory of 2036 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 2.exe PID 1280 wrote to memory of 2036 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 2.exe PID 2036 wrote to memory of 1064 2036 2.exe svchost.exe PID 2036 wrote to memory of 1064 2036 2.exe svchost.exe PID 2036 wrote to memory of 1064 2036 2.exe svchost.exe PID 1280 wrote to memory of 560 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 1280 wrote to memory of 560 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 1280 wrote to memory of 560 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 1280 wrote to memory of 560 1280 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 1064 wrote to memory of 980 1064 svchost.exe cmd.exe PID 1064 wrote to memory of 980 1064 svchost.exe cmd.exe PID 1064 wrote to memory of 980 1064 svchost.exe cmd.exe PID 980 wrote to memory of 1800 980 cmd.exe vssadmin.exe PID 980 wrote to memory of 1800 980 cmd.exe vssadmin.exe PID 980 wrote to memory of 1800 980 cmd.exe vssadmin.exe PID 980 wrote to memory of 1948 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1948 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1948 980 cmd.exe WMIC.exe PID 1064 wrote to memory of 1752 1064 svchost.exe cmd.exe PID 1064 wrote to memory of 1752 1064 svchost.exe cmd.exe PID 1064 wrote to memory of 1752 1064 svchost.exe cmd.exe PID 1752 wrote to memory of 1904 1752 cmd.exe bcdedit.exe PID 1752 wrote to memory of 1904 1752 cmd.exe bcdedit.exe PID 1752 wrote to memory of 1904 1752 cmd.exe bcdedit.exe PID 1752 wrote to memory of 940 1752 cmd.exe bcdedit.exe PID 1752 wrote to memory of 940 1752 cmd.exe bcdedit.exe PID 1752 wrote to memory of 940 1752 cmd.exe bcdedit.exe PID 1064 wrote to memory of 1940 1064 svchost.exe cmd.exe PID 1064 wrote to memory of 1940 1064 svchost.exe cmd.exe PID 1064 wrote to memory of 1940 1064 svchost.exe cmd.exe PID 1940 wrote to memory of 1916 1940 cmd.exe wbadmin.exe PID 1940 wrote to memory of 1916 1940 cmd.exe wbadmin.exe PID 1940 wrote to memory of 1916 1940 cmd.exe wbadmin.exe PID 1064 wrote to memory of 1132 1064 svchost.exe NOTEPAD.EXE PID 1064 wrote to memory of 1132 1064 svchost.exe NOTEPAD.EXE PID 1064 wrote to memory of 1132 1064 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1800 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:1904 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:1916 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt4⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1568
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD598dff88098831ace45f0b21d27cfcdcf
SHA1c4f6736a7966280592c77345d0f2b2d4ff0cf3fe
SHA2562f96e2ed6569d0b94ca86181cd51e4f5505a5e54e02a6662adea60d2a6b87d7b
SHA512823183b8b4b76b46b76e08871b3823006eca74f7b54377f22fc5fa954eab53007869b2804282e913ac30872ffc8d7e78207623e4831030dd6608ab9399b0b0e7
-
Filesize
336B
MD56157e19d642c3e0d5fd57b3705c40dbc
SHA1f00d9d256216460aeef54ce40aad64082a231097
SHA2567c811eb04128fd2a13d5746dcc15494e2593e635b64e474ad40a63ee3524bbf8
SHA512e3ab76dd999232c0c02ab8de2b2eb9334b347d0734a34ddb075c9a7d28459a6dd0b6f1099892bbed0bd57d6e758540dafcf67f96e833dfa17006d3b001e15772
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
331B
MD52257eeabd7acd4f3fce17525c2ba93e3
SHA18807bb45e47534f928a08f20520b97eaea254fff
SHA256b0d70f954eff523a253f4811051b149529b8e8a93e721e4c26cb399953b24117
SHA5124f9d73cdbbf9e743df442d8f87153d869be1911953a92ee4d572135ac01cd8f1fc6a962e494c4429b22da7efaf8192d5bea5614c09039a0aadd3e24b253a50fa
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71