c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40

General

Target

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Size

2.9MB
MD5

ccde3fe374a219ed3a85a0bf548542c3
SHA1

c1187fe0eaddee995773d6c66bcb558536e9b62c
SHA256

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
SHA512

94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c
SSDEEP

49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\RECOVER-mfqssdj-FILES.txt

Ransom Note

>> What happened? Important files on your network was ENCRYPTED and now they have "mfqssdj" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D

URLs

http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1760 bcdedit.exe
1692 bcdedit.exe

pid	process
1760	bcdedit.exe
1692	bcdedit.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CopyConnect.tiff	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
File renamed	C:\Users\Admin\Pictures\AddMerge.png => C:\Users\Admin\Pictures\AddMerge.png.mfqssdj	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
File opened for modification	C:\Users\Admin\Pictures\AddMerge.png.mfqssdj	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
File renamed	C:\Users\Admin\Pictures\CopyConnect.tiff => C:\Users\Admin\Pictures\CopyConnect.tiff.mfqssdj	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
File opened for modification	C:\Users\Admin\Pictures\CopyConnect.tiff.mfqssdj	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

description ioc process

File opened (read-only) \??\Z: c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

description	ioc	process
File opened (read-only)	\??\Z:	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-mfqssdj-FILES.txt.png"	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-mfqssdj-FILES.txt.png"	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1908 vssadmin.exe
1216 vssadmin.exe

pid	process
1908	vssadmin.exe
1216	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\WallpaperStyle = "0"	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

pid	process
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exec3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeSecurityPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeTakeOwnershipPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeLoadDriverPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeSystemProfilePrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeSystemtimePrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeProfSingleProcessPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeIncBasePriorityPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeCreatePagefilePrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeBackupPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeRestorePrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeShutdownPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeDebugPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeSystemEnvironmentPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeChangeNotifyPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeRemoteShutdownPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeUndockPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeManageVolumePrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeImpersonatePrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeCreateGlobalPrivilege	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: 33	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: 34	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: 35	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.execmd.execmd.execmd.execmd.execmd.execmd.exec3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.execmd.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 1780	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1780	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1780	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1780	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1780 wrote to memory of 916	1780	cmd.exe	WMIC.exe
PID 1780 wrote to memory of 916	1780	cmd.exe	WMIC.exe
PID 1780 wrote to memory of 916	1780	cmd.exe	WMIC.exe
PID 1780 wrote to memory of 916	1780	cmd.exe	WMIC.exe
PID 1112 wrote to memory of 1764	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1764	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1764	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1764	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1764 wrote to memory of 1412	1764	cmd.exe	fsutil.exe
PID 1764 wrote to memory of 1412	1764	cmd.exe	fsutil.exe
PID 1764 wrote to memory of 1412	1764	cmd.exe	fsutil.exe
PID 1764 wrote to memory of 1412	1764	cmd.exe	fsutil.exe
PID 1112 wrote to memory of 1416	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1416	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1416	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1416	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1416 wrote to memory of 300	1416	cmd.exe	fsutil.exe
PID 1416 wrote to memory of 300	1416	cmd.exe	fsutil.exe
PID 1416 wrote to memory of 300	1416	cmd.exe	fsutil.exe
PID 1416 wrote to memory of 300	1416	cmd.exe	fsutil.exe
PID 1112 wrote to memory of 828	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 828	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 828	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 828	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1364	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1364	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1364	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1364	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 864	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 864	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 864	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 864	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 864 wrote to memory of 1908	864	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1908	864	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1908	864	cmd.exe	vssadmin.exe
PID 1364 wrote to memory of 1372	1364	cmd.exe	reg.exe
PID 1364 wrote to memory of 1372	1364	cmd.exe	reg.exe
PID 1364 wrote to memory of 1372	1364	cmd.exe	reg.exe
PID 1364 wrote to memory of 1372	1364	cmd.exe	reg.exe
PID 1112 wrote to memory of 1972	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1972	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1972	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1972	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1972 wrote to memory of 1808	1972	cmd.exe	ARP.EXE
PID 1972 wrote to memory of 1808	1972	cmd.exe	ARP.EXE
PID 1972 wrote to memory of 1808	1972	cmd.exe	ARP.EXE
PID 1972 wrote to memory of 1808	1972	cmd.exe	ARP.EXE
PID 396 wrote to memory of 1932	396	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 396 wrote to memory of 1932	396	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 396 wrote to memory of 1932	396	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 396 wrote to memory of 1932	396	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1932 wrote to memory of 764	1932	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 764	1932	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 764	1932	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 764	1932	cmd.exe	WMIC.exe
PID 1112 wrote to memory of 1736	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1736	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1736	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1112 wrote to memory of 1736	1112	c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe	cmd.exe
PID 1736 wrote to memory of 1904	1736	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe --access-token 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get UUID
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set SymlinkEvaluation R2L:1
3⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set SymlinkEvaluation R2R:1
3⤵
PID:300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"
2⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
3⤵
PID:1372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "arp -a"
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\ARP.EXE
arp -a
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
"C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe" --child --access-token 12345
2⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get UUID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe Shadowcopy Delete
3⤵
PID:1904

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"
2⤵
PID:1100

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:1760

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
2⤵
PID:696

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:1692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
2⤵
PID:932

C:\Windows\system32\cmd.exe
cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
3⤵
PID:1016

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
PID:232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
2⤵
PID:1904

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe Shadowcopy Delete
3⤵
PID:1972

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
2⤵
PID:1692

C:\Windows\system32\cmd.exe
cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
3⤵
PID:472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-79-0x0000000000000000-mapping.dmp

Download
memory/300-60-0x0000000000000000-mapping.dmp

Download
memory/472-84-0x0000000000000000-mapping.dmp

Download
memory/696-75-0x0000000000000000-mapping.dmp

Download
memory/764-70-0x0000000000000000-mapping.dmp

Download
memory/828-61-0x0000000000000000-mapping.dmp

Download
memory/864-63-0x0000000000000000-mapping.dmp

Download
memory/916-56-0x0000000000000000-mapping.dmp

Download
memory/932-77-0x0000000000000000-mapping.dmp

Download
memory/1016-78-0x0000000000000000-mapping.dmp

Download
memory/1100-73-0x0000000000000000-mapping.dmp

Download
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1216-80-0x0000000000000000-mapping.dmp

Download
memory/1364-62-0x0000000000000000-mapping.dmp

Download
memory/1372-65-0x0000000000000000-mapping.dmp

Download
memory/1412-58-0x0000000000000000-mapping.dmp

Download
memory/1416-59-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1692-83-0x0000000000000000-mapping.dmp

Download
memory/1736-71-0x0000000000000000-mapping.dmp

Download
memory/1760-74-0x0000000000000000-mapping.dmp

Download
memory/1764-57-0x0000000000000000-mapping.dmp

Download
memory/1780-55-0x0000000000000000-mapping.dmp

Download
memory/1808-67-0x0000000000000000-mapping.dmp

Download
memory/1904-72-0x0000000000000000-mapping.dmp

Download
memory/1904-81-0x0000000000000000-mapping.dmp

Download
memory/1908-64-0x0000000000000000-mapping.dmp

Download
memory/1932-69-0x0000000000000000-mapping.dmp

Download
memory/1972-66-0x0000000000000000-mapping.dmp

Download
memory/1972-82-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads