bcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3

General

Target

Q7B3RC.bin.exe
Size

229KB
MD5

2979ed84c4ca3deb2924bd1f26bf88bd
SHA1

8f01f9112904389e0b53a25506ef69f99cc0fa1b
SHA256

bcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3
SHA512

bd0088d587357851da5e4a7bd9cb1034c404cd5db9a12b9b27efa68a8a28b250d4a2c7346eff0cd14955713cbc13698a6c646d0d573602ccc0f7bda3d0c2d37f
SSDEEP

6144:oNxyvPouZtK58suC/004GKXkq4RUs3fyW:oNxyXNtK58su3Z0RPj

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.txt

Ransom Note

Your network has been infected ! We have you corporate data. Thousands of all your client cases with all personal information, evidences, e-mails, addresses, SSNs, financial information, accounting, Outlook PST archives of your attorneys and staff. Really we have almost mirror of your servers in our network. ============================================================================================================================ The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. ============================================================================================================================= If no payment will be arranged or you will ignore negotiations: - we will start randomly notify some of you active 2021 clients about incident sending them link on their private data. - we well resell data on dark-web marketplaces, cause there is a thousands of personal confidential records - we will post data on few top data-leaks resources, well-known among journalists ============================================================================================================================== You can contact us by downloading and installing TOX chat (https://tox.chat/download.html) Support TOX ID: F0EC47657B9144F5161C7E343BA85401C43826CA0907309FF67513538B0ACD585A07D4A979DC

URLs

https://tox.chat/download.html

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Q7B3RC.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AssertPublish.crw => C:\Users\Admin\Pictures\AssertPublish.crw.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\CopySet.png => C:\Users\Admin\Pictures\CopySet.png.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\ImportRequest.tif => C:\Users\Admin\Pictures\ImportRequest.tif.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\ResetUndo.crw => C:\Users\Admin\Pictures\ResetUndo.crw.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\SetRead.raw => C:\Users\Admin\Pictures\SetRead.raw.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\SkipPing.raw => C:\Users\Admin\Pictures\SkipPing.raw.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\RestartResolve.tif => C:\Users\Admin\Pictures\RestartResolve.tif.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\AddDisconnect.tif => C:\Users\Admin\Pictures\AddDisconnect.tif.code	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectResume.tiff	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\ConnectResume.tiff => C:\Users\Admin\Pictures\ConnectResume.tiff.code	Q7B3RC.bin.exe
File renamed	C:\Users\Admin\Pictures\ProtectSet.tif => C:\Users\Admin\Pictures\ProtectSet.tif.code	Q7B3RC.bin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1808 cmd.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1088 icacls.exe

pid	process
1808	cmd.exe

pid	process
1088	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Q7B3RC.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	Q7B3RC.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Q7B3RC.bin.exe\" e"	Q7B3RC.bin.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

Q7B3RC.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Q7B3RC.bin.exe
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Q7B3RC.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Q7B3RC.bin.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeQ7B3RC.bin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	Q7B3RC.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	Q7B3RC.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1704 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

912 timeout.exe

pid	process
1704	sc.exe

pid	process
912	timeout.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1052	vssadmin.exe
1372	vssadmin.exe
1612	vssadmin.exe
1448	vssadmin.exe
1948	vssadmin.exe
980	vssadmin.exe
580	vssadmin.exe
936	vssadmin.exe
600	vssadmin.exe
240	vssadmin.exe
1164	vssadmin.exe
1244	vssadmin.exe
1564	vssadmin.exe
304	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeQ7B3RC.bin.exe

pid	process
1520	powershell.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe
1488	Q7B3RC.bin.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

vssvc.exewmic.exepowershell.exe

description	pid	process
Token: SeBackupPrivilege	1740	vssvc.exe
Token: SeRestorePrivilege	1740	vssvc.exe
Token: SeAuditPrivilege	1740	vssvc.exe
Token: SeIncreaseQuotaPrivilege	872	wmic.exe
Token: SeSecurityPrivilege	872	wmic.exe
Token: SeTakeOwnershipPrivilege	872	wmic.exe
Token: SeLoadDriverPrivilege	872	wmic.exe
Token: SeSystemProfilePrivilege	872	wmic.exe
Token: SeSystemtimePrivilege	872	wmic.exe
Token: SeProfSingleProcessPrivilege	872	wmic.exe
Token: SeIncBasePriorityPrivilege	872	wmic.exe
Token: SeCreatePagefilePrivilege	872	wmic.exe
Token: SeBackupPrivilege	872	wmic.exe
Token: SeRestorePrivilege	872	wmic.exe
Token: SeShutdownPrivilege	872	wmic.exe
Token: SeDebugPrivilege	872	wmic.exe
Token: SeSystemEnvironmentPrivilege	872	wmic.exe
Token: SeRemoteShutdownPrivilege	872	wmic.exe
Token: SeUndockPrivilege	872	wmic.exe
Token: SeManageVolumePrivilege	872	wmic.exe
Token: 33	872	wmic.exe
Token: 34	872	wmic.exe
Token: 35	872	wmic.exe
Token: SeIncreaseQuotaPrivilege	872	wmic.exe
Token: SeSecurityPrivilege	872	wmic.exe
Token: SeTakeOwnershipPrivilege	872	wmic.exe
Token: SeLoadDriverPrivilege	872	wmic.exe
Token: SeSystemProfilePrivilege	872	wmic.exe
Token: SeSystemtimePrivilege	872	wmic.exe
Token: SeProfSingleProcessPrivilege	872	wmic.exe
Token: SeIncBasePriorityPrivilege	872	wmic.exe
Token: SeCreatePagefilePrivilege	872	wmic.exe
Token: SeBackupPrivilege	872	wmic.exe
Token: SeRestorePrivilege	872	wmic.exe
Token: SeShutdownPrivilege	872	wmic.exe
Token: SeDebugPrivilege	872	wmic.exe
Token: SeSystemEnvironmentPrivilege	872	wmic.exe
Token: SeRemoteShutdownPrivilege	872	wmic.exe
Token: SeUndockPrivilege	872	wmic.exe
Token: SeManageVolumePrivilege	872	wmic.exe
Token: 33	872	wmic.exe
Token: 34	872	wmic.exe
Token: 35	872	wmic.exe
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Q7B3RC.bin.exenet.exe

description	pid	process	target process
PID 1488 wrote to memory of 1612	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1612	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1612	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1612	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1260	1488	Q7B3RC.bin.exe	net.exe
PID 1488 wrote to memory of 1260	1488	Q7B3RC.bin.exe	net.exe
PID 1488 wrote to memory of 1260	1488	Q7B3RC.bin.exe	net.exe
PID 1488 wrote to memory of 1260	1488	Q7B3RC.bin.exe	net.exe
PID 1260 wrote to memory of 1720	1260	net.exe	net1.exe
PID 1260 wrote to memory of 1720	1260	net.exe	net1.exe
PID 1260 wrote to memory of 1720	1260	net.exe	net1.exe
PID 1260 wrote to memory of 1720	1260	net.exe	net1.exe
PID 1488 wrote to memory of 1704	1488	Q7B3RC.bin.exe	sc.exe
PID 1488 wrote to memory of 1704	1488	Q7B3RC.bin.exe	sc.exe
PID 1488 wrote to memory of 1704	1488	Q7B3RC.bin.exe	sc.exe
PID 1488 wrote to memory of 1704	1488	Q7B3RC.bin.exe	sc.exe
PID 1488 wrote to memory of 872	1488	Q7B3RC.bin.exe	wmic.exe
PID 1488 wrote to memory of 872	1488	Q7B3RC.bin.exe	wmic.exe
PID 1488 wrote to memory of 872	1488	Q7B3RC.bin.exe	wmic.exe
PID 1488 wrote to memory of 872	1488	Q7B3RC.bin.exe	wmic.exe
PID 1488 wrote to memory of 936	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 936	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 936	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 936	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 600	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 600	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 600	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 600	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1448	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1448	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1448	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1448	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1948	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1948	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1948	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1948	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1052	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1052	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1052	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1052	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 980	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 980	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 980	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 980	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1244	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1244	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1244	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1244	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 240	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 240	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 240	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 240	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1564	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1564	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1564	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1564	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1164	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1164	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1164	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 1164	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 304	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 304	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 304	1488	Q7B3RC.bin.exe	vssadmin.exe
PID 1488 wrote to memory of 304	1488	Q7B3RC.bin.exe	vssadmin.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

Q7B3RC.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Q7B3RC.bin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1488

C:\Windows\SysWOW64\net.exe
net stop VSS & sc config VSS start= disabled
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
3⤵
PID:1720

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1612

C:\Windows\SysWOW64\sc.exe
sc config VSS start= Demand & net start VSS
2⤵
- Launches sc.exe
PID:1704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY delete /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:936

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:600

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1448

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1948

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1052

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:980

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1244

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:240

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1564

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1164

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:304

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:580

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1372

C:\Windows\SysWOW64\icacls.exe
icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
2⤵
- Modifies file permissions
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe" >> NUL
2⤵
- Deletes itself
PID:1808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.txt
Filesize
3KB

MD5
5874a3ef6050bccbe1808ce15b7aff0a

SHA1
7ce0ada09d8dcf2b46ec004b2fe2a8523ec70468

SHA256
a838bc92d4d1ff8cc1f8aa1c2de2a6a15b43486292b248d7669459a97ab3e711

SHA512
b55305b95a9d5d1e76335a5db35a05710b1d54d24abb93edcdc768e6caad00a2b49c675d6e405bab42971944fa03b2015dbf5858416b2ce5547b1e302c2bde29

Download Submit
memory/1488-54-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1488-55-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1488-56-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1488-57-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1488-58-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1488-399-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1488-1218-0x0000000000AA0000-0x0000000000B2F000-memory.dmp

Filesize
572KB

Download
memory/1520-61-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1520-62-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads