Analysis
-
max time kernel
112s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
Resource
win10v2004-20220812-en
General
-
Target
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
-
Size
423KB
-
MD5
5aa991c89a6564a3c6351052e157f9d8
-
SHA1
f481e3cd126a429c33568070c2ff56d27c41a8ce
-
SHA256
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979
-
SHA512
a2c84b4d4a2c27a1baee0fbed0d7b24ca1b1e2ddde6caad078236ecd931e0a2095fe0561ecc57e83830c4f52462d054d10105cc0aafe657c822515da5ec0f21b
-
SSDEEP
6144:H8JsLcpjzTDDmHayakLkrb4NSarQWtT+tG1XRHOGU9gXIodHShK:8zxzTDWikLSb4NS7ET+tG1X/Fh
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe family_chaos behavioral2/memory/3208-135-0x00000000005A0000-0x00000000005CA000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos -
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1376 bcdedit.exe 3848 bcdedit.exe -
Processes:
wbadmin.exepid process 3664 wbadmin.exe -
Drops file in Drivers directory 8 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 1.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 1.exe -
Executes dropped EXE 3 IoCs
Processes:
2.exesvchost.exe1.exepid process 3208 2.exe 2768 svchost.exe 4952 1.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Users\Admin\Pictures\PushWait.png => C:\Users\Admin\Pictures\PushWait.png.huis_bn svchost.exe File renamed C:\Users\Admin\Pictures\StartRestore.png => C:\Users\Admin\Pictures\StartRestore.png.huis_bn svchost.exe File renamed C:\Users\Admin\Pictures\SwitchConfirm.png => C:\Users\Admin\Pictures\SwitchConfirm.png.huis_bn svchost.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe2.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 2.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 5 IoCs
Processes:
svchost.exe1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???????????? ?????.txt???????????? ?????.txt 1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" 1.exe -
Drops desktop.ini file(s) 33 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe -
Drops file in System32 directory 64 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\c_computer.inf_amd64_aa72c8894a821b32\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\virtdisk.inf_amd64_9a7f42b85c7def50\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe 1.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\de-DE\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_05ca2a1836c16cab\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_32023cb966fd5c8c\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe 1.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fssystemrecovery.inf_amd64_aa57df1ffa9aace0\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_legacydriver.inf_amd64_c07aa9c633b5271e\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\oobe\es-ES\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_scsiadapter.inf_amd64_efffb8c026d3abc5\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_ec8de8952888a618\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\en-US\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe 1.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe 1.exe File opened for modification C:\Windows\SysWOW64\Utilman.exe 1.exe File created C:\Windows\SysWOW64\wbem\en\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_6550f790ed88c7ba\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_7f84203a67c210e4\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\MUI\0410\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\wbem\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\it-IT\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\en-US\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe 1.exe File created C:\Windows\SysWOW64\Dism\de-DE\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_f496147578cad554\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\ja\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe 1.exe File created C:\Windows\SysWOW64\migration\es-ES\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 1.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe 1.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\DiagSvcs\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_smartcardfilter.inf_amd64_3573afe136371e51\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\itsas35i.inf_amd64_4f5850c71046b0cb\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe 1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe 1.exe File opened for modification C:\Windows\SysWOW64\secinit.exe 1.exe File created C:\Windows\SysWOW64\tr-TR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0021\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SysWOW64\migration\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 1.exe File created C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\System32\DriverStore\FileRepository\spaceport.inf_amd64_6383331cfa0a32be\HOW TO DECRYPT FILES.txt 1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a9odwg20k.jpg" svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png 1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\MicrosoftEdgeUpdateBroker.exe 1.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-400.png 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png 1.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-150.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png 1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-200.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-black.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-20.png 1.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-200.png 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-300.png 1.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png 1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png 1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-400.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html 1.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-150.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-100.png 1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif 1.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-150.png 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-150.png 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png 1.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt 1.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small2x.png 1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-200.png 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf 1.exe -
Drops file in Windows directory 64 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\WinSxS\amd64_microsoft-windows-s..voicecommon-onecore_31bf3856ad364e35_10.0.19041.746_none_133ac2bb3e537369\r\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ncsi_31bf3856ad364e35_10.0.19041.1_none_6293b716b8418fce\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\r\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.19041.1_none_c2bbf8598318544b\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_57eee7dc08744253\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\LearnMore.html 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.964_none_518ed510d35bb200\f\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-opengl.resources_31bf3856ad364e35_10.0.19041.1_en-us_55388e90743776b9\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ehstor-api.resources_31bf3856ad364e35_10.0.19041.1_en-us_34a4e14d6fcd6f24\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-idctrls.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ff0e6489b51528a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser.resources_31bf3856ad364e35_11.0.19041.1_de-de_fca2f50c3f3d9a68\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i...appxmain.resources_31bf3856ad364e35_10.0.19041.1_en-us_945751259cc61d3a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ernelmode.resources_31bf3856ad364e35_10.0.19041.1_de-de_9b38e0b35785b52d\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000040d_31bf3856ad364e35_10.0.19041.1_none_b3d11ff8f50b26ea\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ipconfig.resources_31bf3856ad364e35_10.0.19041.1_es-es_7d9999539d3d6ad4\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..m-initmachineconfig_31bf3856ad364e35_10.0.19041.868_none_b471f94f5b1036ba\n\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..k-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_332fba2f89dd2e37\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ementwmi-powershell_31bf3856ad364e35_10.0.19041.1_none_9f3afd53271192d6\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.19041.746_none_7cf0c625c3984554\f\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.1_none_e1940364964a9f22\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mydocs_31bf3856ad364e35_10.0.19041.746_none_1df0afc39d31a240\r\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\StoreLogo.scale-100.png 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.153_none_d1a66a77fe3b57f3\r\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-efsadu.resources_31bf3856ad364e35_10.0.19041.1_it-it_03b7d3b5fe9ffad7\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ieframe.resources_31bf3856ad364e35_11.0.19041.1_en-us_79a8d08cd7e5bb3a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_10.0.19041.1_nb-no_d81be221202a5cfd\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.scale-400.png 1.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_10.0.19041.1_it-it_cedacf4a1a69975a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..chine-dui.resources_31bf3856ad364e35_10.0.19041.1_it-it_76317e6e4376b397\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..paces-sso.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c2763f858318c9a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\MOF\de\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..mplus-msc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_939d08f83e7738f4\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..extension.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c9cdc532699bfa75\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nsors-api.resources_31bf3856ad364e35_10.0.19041.1_es-es_7efcf868936caefd\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..orkbridge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3479a33a02882d80\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..-policies.resources_31bf3856ad364e35_10.0.19041.1_en-us_c4ed144ec53159c2\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..vice-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8de96efd95b1f71e\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-hololens.html 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-dynamic-image_31bf3856ad364e35_10.0.19041.1288_none_b508821aea842ab0\n\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-quiethours.resources_31bf3856ad364e35_10.0.19041.1_it-it_acd68d34a2af5834\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-wmpeffects_31bf3856ad364e35_10.0.19041.1266_none_6e13bacd44a30951\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tapi3.resources_31bf3856ad364e35_10.0.19041.1_es-es_739942d33ef804fe\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_269329e90d8f3b5c\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..nable-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_2ef3d577b3bc2a0c\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..-provider.resources_31bf3856ad364e35_10.0.19041.1_en-us_a7c469a4e8e6d9e6\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-c..propsheet.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e6f4b500a13a4255\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..irtualbus.resources_31bf3856ad364e35_10.0.19041.1_de-de_031a66841b9d46d5\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..n-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_9d8dfe977be16a35\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..kenbroker.resources_31bf3856ad364e35_10.0.19041.1_de-de_e730d3144802fce8\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\Boot\EFI\da-DK\HOW TO DECRYPT FILES.txt 1.exe File created C:\Windows\it-IT\HOW TO DECRYPT FILES.txt 1.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\5.txt 1.exe File created C:\Windows\INF\SMSvcHost 3.0.0.0\0410\HOW TO DECRYPT FILES.txt 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 960 vssadmin.exe -
Modifies registry class 11 IoCs
Processes:
1.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\ = "CRYPTED!" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open 1.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn\ = "ZRMHJJVQXVFBFMX" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe,0" 1.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 2768 svchost.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
2.exesvchost.exepid process 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 3208 2.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
2.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 3208 2.exe Token: SeDebugPrivilege 2768 svchost.exe Token: SeBackupPrivilege 1392 vssvc.exe Token: SeRestorePrivilege 1392 vssvc.exe Token: SeAuditPrivilege 1392 vssvc.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeBackupPrivilege 3756 wbengine.exe Token: SeRestorePrivilege 3756 wbengine.exe Token: SeSecurityPrivilege 3756 wbengine.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe2.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 4460 wrote to memory of 3208 4460 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 2.exe PID 4460 wrote to memory of 3208 4460 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 2.exe PID 3208 wrote to memory of 2768 3208 2.exe svchost.exe PID 3208 wrote to memory of 2768 3208 2.exe svchost.exe PID 4460 wrote to memory of 4952 4460 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 4460 wrote to memory of 4952 4460 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 4460 wrote to memory of 4952 4460 b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe 1.exe PID 2768 wrote to memory of 4444 2768 svchost.exe cmd.exe PID 2768 wrote to memory of 4444 2768 svchost.exe cmd.exe PID 4444 wrote to memory of 960 4444 cmd.exe vssadmin.exe PID 4444 wrote to memory of 960 4444 cmd.exe vssadmin.exe PID 4444 wrote to memory of 224 4444 cmd.exe WMIC.exe PID 4444 wrote to memory of 224 4444 cmd.exe WMIC.exe PID 2768 wrote to memory of 3128 2768 svchost.exe cmd.exe PID 2768 wrote to memory of 3128 2768 svchost.exe cmd.exe PID 3128 wrote to memory of 1376 3128 cmd.exe bcdedit.exe PID 3128 wrote to memory of 1376 3128 cmd.exe bcdedit.exe PID 3128 wrote to memory of 3848 3128 cmd.exe bcdedit.exe PID 3128 wrote to memory of 3848 3128 cmd.exe bcdedit.exe PID 2768 wrote to memory of 3676 2768 svchost.exe cmd.exe PID 2768 wrote to memory of 3676 2768 svchost.exe cmd.exe PID 3676 wrote to memory of 3664 3676 cmd.exe wbadmin.exe PID 3676 wrote to memory of 3664 3676 cmd.exe wbadmin.exe PID 2768 wrote to memory of 2672 2768 svchost.exe NOTEPAD.EXE PID 2768 wrote to memory of 2672 2768 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:960 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:1376 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:3848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:3664 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt4⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4952
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
57KB
MD5bc9b44d8e5eb1543a26c16c2d45f8ab7
SHA16486e7f0a5a6fdd35913f790af2e3effc42ee994
SHA256767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce
SHA51250b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
44KB
MD53773fa0f5897ea585a8c07c4030b0b83
SHA15f9c1ce9b5a00a8c219f89faa018581a37be12d2
SHA25675151aece601ec9160c3a006d187837cadedc95382502e19431b776042d7f12c
SHA512b25b382f99e757d64dd663fa817d9cd5f773aa04986d817fdb0ca6d658cae65f9531e8d83c52d7b5c77b37e4421451fd2f745defcb05146bbdab37b06a4f9f15
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
141KB
MD5acea7e35f8878aea046a7eb35d0b8330
SHA116df89d9ab87b2e0473b284bcd808109a1d5c830
SHA2568beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe
SHA51299982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71
-
Filesize
331B
MD52257eeabd7acd4f3fce17525c2ba93e3
SHA18807bb45e47534f928a08f20520b97eaea254fff
SHA256b0d70f954eff523a253f4811051b149529b8e8a93e721e4c26cb399953b24117
SHA5124f9d73cdbbf9e743df442d8f87153d869be1911953a92ee4d572135ac01cd8f1fc6a962e494c4429b22da7efaf8192d5bea5614c09039a0aadd3e24b253a50fa