Analysis
-
max time kernel
143s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
Resource
win10v2004-20220812-en
General
-
Target
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe
-
Size
615KB
-
MD5
76f2908839a8cb236819193c952aaa13
-
SHA1
28b6c936d6e245c726239aa950004d9077f8198f
-
SHA256
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634
-
SHA512
f49504f4927c1ee2ed36367fcca343f3ee99d96bf2d04cf57814051a440e8e554e665988931bde03fd37f6715cd92029f1ed75968c7b0348c16f4eb5ed5daa11
-
SSDEEP
1536:/qFOkRWgN4LPsfi8LEpc+GlbFvY0KUDeCiAM9VTow8Qxg9z:ChWRhTp9G7mUDLiAM9VTow8Q6V
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
fairexchange@qq.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4716 created 384 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 3700 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe\"" 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exepid process 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exedescription pid process target process PID 5088 set thread context of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 set thread context of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Drops file in Program Files directory 64 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-100.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay.winmd 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-lightunplated.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileOneNote32x32.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-100_contrast-black.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files\Microsoft Office\root\Office16\3082\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White@2x.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-lightunplated.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-400.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-400.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-unplated_contrast-white.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\readme-warning.txt 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-125.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\nacl_irt_x86_64.nexe.DATA 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-125_contrast-white.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_contrast-white.png 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\adovbs.inc 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3564 5088 WerFault.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 1632 2652 WerFault.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 856 timeout.exe 1132 timeout.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4168 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exepid process 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 384 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 384 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exesvchost.exevssvc.exewbengine.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exeWMIC.exedescription pid process Token: SeDebugPrivilege 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe Token: SeTcbPrivilege 4716 svchost.exe Token: SeTcbPrivilege 4716 svchost.exe Token: SeBackupPrivilege 4904 vssvc.exe Token: SeRestorePrivilege 4904 vssvc.exe Token: SeAuditPrivilege 4904 vssvc.exe Token: SeBackupPrivilege 2888 wbengine.exe Token: SeRestorePrivilege 2888 wbengine.exe Token: SeSecurityPrivilege 2888 wbengine.exe Token: SeDebugPrivilege 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe Token: SeIncreaseQuotaPrivilege 660 WMIC.exe Token: SeSecurityPrivilege 660 WMIC.exe Token: SeTakeOwnershipPrivilege 660 WMIC.exe Token: SeLoadDriverPrivilege 660 WMIC.exe Token: SeSystemProfilePrivilege 660 WMIC.exe Token: SeSystemtimePrivilege 660 WMIC.exe Token: SeProfSingleProcessPrivilege 660 WMIC.exe Token: SeIncBasePriorityPrivilege 660 WMIC.exe Token: SeCreatePagefilePrivilege 660 WMIC.exe Token: SeBackupPrivilege 660 WMIC.exe Token: SeRestorePrivilege 660 WMIC.exe Token: SeShutdownPrivilege 660 WMIC.exe Token: SeDebugPrivilege 660 WMIC.exe Token: SeSystemEnvironmentPrivilege 660 WMIC.exe Token: SeRemoteShutdownPrivilege 660 WMIC.exe Token: SeUndockPrivilege 660 WMIC.exe Token: SeManageVolumePrivilege 660 WMIC.exe Token: 33 660 WMIC.exe Token: 34 660 WMIC.exe Token: 35 660 WMIC.exe Token: 36 660 WMIC.exe Token: SeIncreaseQuotaPrivilege 660 WMIC.exe Token: SeSecurityPrivilege 660 WMIC.exe Token: SeTakeOwnershipPrivilege 660 WMIC.exe Token: SeLoadDriverPrivilege 660 WMIC.exe Token: SeSystemProfilePrivilege 660 WMIC.exe Token: SeSystemtimePrivilege 660 WMIC.exe Token: SeProfSingleProcessPrivilege 660 WMIC.exe Token: SeIncBasePriorityPrivilege 660 WMIC.exe Token: SeCreatePagefilePrivilege 660 WMIC.exe Token: SeBackupPrivilege 660 WMIC.exe Token: SeRestorePrivilege 660 WMIC.exe Token: SeShutdownPrivilege 660 WMIC.exe Token: SeDebugPrivilege 660 WMIC.exe Token: SeSystemEnvironmentPrivilege 660 WMIC.exe Token: SeRemoteShutdownPrivilege 660 WMIC.exe Token: SeUndockPrivilege 660 WMIC.exe Token: SeManageVolumePrivilege 660 WMIC.exe Token: 33 660 WMIC.exe Token: 34 660 WMIC.exe Token: 35 660 WMIC.exe Token: 36 660 WMIC.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.execmd.exesvchost.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.execmd.execmd.exedescription pid process target process PID 5088 wrote to memory of 4960 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 5088 wrote to memory of 4960 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 5088 wrote to memory of 4960 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 4960 wrote to memory of 856 4960 cmd.exe timeout.exe PID 4960 wrote to memory of 856 4960 cmd.exe timeout.exe PID 4960 wrote to memory of 856 4960 cmd.exe timeout.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 5088 wrote to memory of 384 5088 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 4716 wrote to memory of 2652 4716 svchost.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 384 wrote to memory of 3596 384 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 384 wrote to memory of 3596 384 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 2652 wrote to memory of 228 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 2652 wrote to memory of 228 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 2652 wrote to memory of 228 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe cmd.exe PID 3596 wrote to memory of 4168 3596 cmd.exe vssadmin.exe PID 3596 wrote to memory of 4168 3596 cmd.exe vssadmin.exe PID 228 wrote to memory of 1132 228 cmd.exe timeout.exe PID 228 wrote to memory of 1132 228 cmd.exe timeout.exe PID 228 wrote to memory of 1132 228 cmd.exe timeout.exe PID 3596 wrote to memory of 3700 3596 cmd.exe wbadmin.exe PID 3596 wrote to memory of 3700 3596 cmd.exe wbadmin.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 2652 wrote to memory of 4944 2652 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe 13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe PID 3596 wrote to memory of 660 3596 cmd.exe WMIC.exe PID 3596 wrote to memory of 660 3596 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe" n3843⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"C:\Users\Admin\AppData\Local\Temp\13c9d681432c3a57f8de0d295a1bf36c5a72587339bbb629e9467697d75c5634.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 14724⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 14602⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5088 -ip 50881⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2652 -ip 26521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/228-144-0x0000000000000000-mapping.dmp
-
memory/384-137-0x0000000000000000-mapping.dmp
-
memory/384-138-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/384-140-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/384-143-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/660-153-0x0000000000000000-mapping.dmp
-
memory/856-135-0x0000000000000000-mapping.dmp
-
memory/1132-146-0x0000000000000000-mapping.dmp
-
memory/2652-141-0x0000000000000000-mapping.dmp
-
memory/3596-142-0x0000000000000000-mapping.dmp
-
memory/3700-147-0x0000000000000000-mapping.dmp
-
memory/4168-145-0x0000000000000000-mapping.dmp
-
memory/4944-148-0x0000000000000000-mapping.dmp
-
memory/4944-152-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4960-134-0x0000000000000000-mapping.dmp
-
memory/5088-132-0x00000000007B0000-0x0000000000850000-memory.dmpFilesize
640KB
-
memory/5088-136-0x0000000006210000-0x00000000067B4000-memory.dmpFilesize
5.6MB
-
memory/5088-133-0x0000000005170000-0x000000000520C000-memory.dmpFilesize
624KB