Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 16:58
Behavioral task
behavioral1
Sample
Q7B3RC.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Q7B3RC.bin.exe
Resource
win10v2004-20230221-en
General
-
Target
Q7B3RC.bin.exe
-
Size
229KB
-
MD5
2979ed84c4ca3deb2924bd1f26bf88bd
-
SHA1
8f01f9112904389e0b53a25506ef69f99cc0fa1b
-
SHA256
bcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3
-
SHA512
bd0088d587357851da5e4a7bd9cb1034c404cd5db9a12b9b27efa68a8a28b250d4a2c7346eff0cd14955713cbc13698a6c646d0d573602ccc0f7bda3d0c2d37f
-
SSDEEP
6144:oNxyvPouZtK58suC/004GKXkq4RUs3fyW:oNxyXNtK58su3Z0RPj
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.txt
https://tox.chat/download.html
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Q7B3RC.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\AssertPublish.crw => C:\Users\Admin\Pictures\AssertPublish.crw.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\CopySet.png => C:\Users\Admin\Pictures\CopySet.png.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ImportRequest.tif => C:\Users\Admin\Pictures\ImportRequest.tif.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ResetUndo.crw => C:\Users\Admin\Pictures\ResetUndo.crw.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\SetRead.raw => C:\Users\Admin\Pictures\SetRead.raw.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\SkipPing.raw => C:\Users\Admin\Pictures\SkipPing.raw.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\RestartResolve.tif => C:\Users\Admin\Pictures\RestartResolve.tif.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\AddDisconnect.tif => C:\Users\Admin\Pictures\AddDisconnect.tif.code Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Pictures\ConnectResume.tiff Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ConnectResume.tiff => C:\Users\Admin\Pictures\ConnectResume.tiff.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ProtectSet.tif => C:\Users\Admin\Pictures\ProtectSet.tif.code Q7B3RC.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Q7B3RC.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run Q7B3RC.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Q7B3RC.bin.exe\" e" Q7B3RC.bin.exe -
Drops desktop.ini file(s) 27 IoCs
Processes:
Q7B3RC.bin.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Music\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Q7B3RC.bin.exe File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Music\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Links\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Documents\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Videos\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Q7B3RC.bin.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeQ7B3RC.bin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: Q7B3RC.bin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: Q7B3RC.bin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1704 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 912 timeout.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1052 vssadmin.exe 1372 vssadmin.exe 1612 vssadmin.exe 1448 vssadmin.exe 1948 vssadmin.exe 980 vssadmin.exe 580 vssadmin.exe 936 vssadmin.exe 600 vssadmin.exe 240 vssadmin.exe 1164 vssadmin.exe 1244 vssadmin.exe 1564 vssadmin.exe 304 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeQ7B3RC.bin.exepid process 1520 powershell.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe 1488 Q7B3RC.bin.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
vssvc.exewmic.exepowershell.exedescription pid process Token: SeBackupPrivilege 1740 vssvc.exe Token: SeRestorePrivilege 1740 vssvc.exe Token: SeAuditPrivilege 1740 vssvc.exe Token: SeIncreaseQuotaPrivilege 872 wmic.exe Token: SeSecurityPrivilege 872 wmic.exe Token: SeTakeOwnershipPrivilege 872 wmic.exe Token: SeLoadDriverPrivilege 872 wmic.exe Token: SeSystemProfilePrivilege 872 wmic.exe Token: SeSystemtimePrivilege 872 wmic.exe Token: SeProfSingleProcessPrivilege 872 wmic.exe Token: SeIncBasePriorityPrivilege 872 wmic.exe Token: SeCreatePagefilePrivilege 872 wmic.exe Token: SeBackupPrivilege 872 wmic.exe Token: SeRestorePrivilege 872 wmic.exe Token: SeShutdownPrivilege 872 wmic.exe Token: SeDebugPrivilege 872 wmic.exe Token: SeSystemEnvironmentPrivilege 872 wmic.exe Token: SeRemoteShutdownPrivilege 872 wmic.exe Token: SeUndockPrivilege 872 wmic.exe Token: SeManageVolumePrivilege 872 wmic.exe Token: 33 872 wmic.exe Token: 34 872 wmic.exe Token: 35 872 wmic.exe Token: SeIncreaseQuotaPrivilege 872 wmic.exe Token: SeSecurityPrivilege 872 wmic.exe Token: SeTakeOwnershipPrivilege 872 wmic.exe Token: SeLoadDriverPrivilege 872 wmic.exe Token: SeSystemProfilePrivilege 872 wmic.exe Token: SeSystemtimePrivilege 872 wmic.exe Token: SeProfSingleProcessPrivilege 872 wmic.exe Token: SeIncBasePriorityPrivilege 872 wmic.exe Token: SeCreatePagefilePrivilege 872 wmic.exe Token: SeBackupPrivilege 872 wmic.exe Token: SeRestorePrivilege 872 wmic.exe Token: SeShutdownPrivilege 872 wmic.exe Token: SeDebugPrivilege 872 wmic.exe Token: SeSystemEnvironmentPrivilege 872 wmic.exe Token: SeRemoteShutdownPrivilege 872 wmic.exe Token: SeUndockPrivilege 872 wmic.exe Token: SeManageVolumePrivilege 872 wmic.exe Token: 33 872 wmic.exe Token: 34 872 wmic.exe Token: 35 872 wmic.exe Token: SeDebugPrivilege 1520 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Q7B3RC.bin.exenet.exedescription pid process target process PID 1488 wrote to memory of 1612 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1612 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1612 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1612 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1260 1488 Q7B3RC.bin.exe net.exe PID 1488 wrote to memory of 1260 1488 Q7B3RC.bin.exe net.exe PID 1488 wrote to memory of 1260 1488 Q7B3RC.bin.exe net.exe PID 1488 wrote to memory of 1260 1488 Q7B3RC.bin.exe net.exe PID 1260 wrote to memory of 1720 1260 net.exe net1.exe PID 1260 wrote to memory of 1720 1260 net.exe net1.exe PID 1260 wrote to memory of 1720 1260 net.exe net1.exe PID 1260 wrote to memory of 1720 1260 net.exe net1.exe PID 1488 wrote to memory of 1704 1488 Q7B3RC.bin.exe sc.exe PID 1488 wrote to memory of 1704 1488 Q7B3RC.bin.exe sc.exe PID 1488 wrote to memory of 1704 1488 Q7B3RC.bin.exe sc.exe PID 1488 wrote to memory of 1704 1488 Q7B3RC.bin.exe sc.exe PID 1488 wrote to memory of 872 1488 Q7B3RC.bin.exe wmic.exe PID 1488 wrote to memory of 872 1488 Q7B3RC.bin.exe wmic.exe PID 1488 wrote to memory of 872 1488 Q7B3RC.bin.exe wmic.exe PID 1488 wrote to memory of 872 1488 Q7B3RC.bin.exe wmic.exe PID 1488 wrote to memory of 936 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 936 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 936 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 936 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 600 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 600 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 600 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 600 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1448 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1448 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1448 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1448 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1948 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1948 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1948 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1948 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1052 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1052 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1052 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1052 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 980 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 980 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 980 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 980 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1244 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1244 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1244 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1244 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 240 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 240 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 240 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 240 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1564 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1564 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1564 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1564 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1164 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1164 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1164 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 1164 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 304 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 304 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 304 1488 Q7B3RC.bin.exe vssadmin.exe PID 1488 wrote to memory of 304 1488 Q7B3RC.bin.exe vssadmin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Q7B3RC.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Q7B3RC.bin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe"C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe" >> NUL2⤵
- Deletes itself
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.txtFilesize
3KB
MD55874a3ef6050bccbe1808ce15b7aff0a
SHA17ce0ada09d8dcf2b46ec004b2fe2a8523ec70468
SHA256a838bc92d4d1ff8cc1f8aa1c2de2a6a15b43486292b248d7669459a97ab3e711
SHA512b55305b95a9d5d1e76335a5db35a05710b1d54d24abb93edcdc768e6caad00a2b49c675d6e405bab42971944fa03b2015dbf5858416b2ce5547b1e302c2bde29
-
memory/1488-54-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1488-55-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1488-56-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1488-57-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1488-58-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1488-399-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1488-1218-0x0000000000AA0000-0x0000000000B2F000-memory.dmpFilesize
572KB
-
memory/1520-61-0x0000000002550000-0x0000000002590000-memory.dmpFilesize
256KB
-
memory/1520-62-0x0000000002550000-0x0000000002590000-memory.dmpFilesize
256KB