Malware Analysis Report

2024-09-22 14:32

Sample ID 230508-wdvw2sbh89
Target VirusShare_61b32a82577a7ea823ff7303ab6b4283
SHA256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

Threat Level: Known bad

The file VirusShare_61b32a82577a7ea823ff7303ab6b4283 was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-05-08 17:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-08 17:48

Reported

2023-05-08 17:51

Platform

win7-20230220-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExitSync.crw => C:\Users\Admin\Pictures\ExitSync.crw.nibamR C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\SelectReceive.tif => C:\Users\Admin\Pictures\SelectReceive.tif.8Z8Q C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendTest.tif => C:\Users\Admin\Pictures\SuspendTest.tif.aLaH C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\UseStop.raw => C:\Users\Admin\Pictures\UseStop.raw.dw8Bod C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\DebugSelect.raw => C:\Users\Admin\Pictures\DebugSelect.raw.sGJ6y C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnablePush.tiff C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\EnablePush.tiff => C:\Users\Admin\Pictures\EnablePush.tiff.nibamR C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cd10cc68975313c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\6cd10cc68975313c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\LockRename.emf C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\MountRestore.jpeg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\AssertSplit.DVR-MS C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CompressAdd.aiff C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\6cd10cc68975313c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ComparePop.wax C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConfirmPublish.png C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConvertToLock.ppt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\EnableGet.pptm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\InvokeComplete.mpeg3 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\PushSuspend.docx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ShowSet.vst C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UseProtect.3gp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6cd10cc68975313c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6cd10cc68975313c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CheckpointCompress.raw C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\GetRename.ogg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\GroupCompare.asx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\InstallRequest.mpp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SkipExpand.kix C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CompareResume.vsd C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\PopRestart.aif C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\PushRepair.vsdx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cd10cc68975313c.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\AssertStop.mp2v C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\BackupEnable.au3 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\JoinUndo.mpeg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConvertFromCopy.clr C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConvertStop.easmx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RegisterSplit.WTV C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UseFormat.scf C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\bu\ml\nqjpi\..\..\..\Windows\mt\tywo\cae\..\..\..\system32\eb\..\wbem\ne\rnosw\ivp\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x140

Network

Country Destination Domain Proto
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp

Files

memory/1548-54-0x0000000000220000-0x000000000027E000-memory.dmp

memory/1548-58-0x0000000000220000-0x000000000027E000-memory.dmp

memory/1548-60-0x0000000000220000-0x000000000027E000-memory.dmp

memory/1548-64-0x0000000000220000-0x000000000027E000-memory.dmp

C:\MSOCache\DECRYPT-FILES.txt

MD5 e3d0634ca08b287f7b2bce0a5975ae2a
SHA1 30ba19bf745a94b9b8cca7230952fe70b119647c
SHA256 c29c5f711c69635e3b24cadb7b5c1c91030a7e1b52bc34439ef3b0384dc3c183
SHA512 f71654c8a5b3281c6c65e9414e07feea9c8570024800905985b70ea69b0bbf02ae723326a16bd594fc7844e32661b356ea185e7ba045072da86f5ceef02e4bd3

memory/1548-923-0x0000000000220000-0x000000000027E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6734ED3E8A8E4F5A865F2B8FEF8F248E.dat

MD5 bc715473114e925df8ea5ea72f21b9ae
SHA1 354a61a6f8dcbb9bb034d6e84fb7d379c54c89c9
SHA256 28f42b9e582696e267cf1d6ab5ec5a17ca57109f569783af73a724e25c09622a
SHA512 af5fda4c81903273f4faee117324e4716df0e877d0188e2f67b9a40defb6567db46bfd7f7eecdd881340148c9e748bc9923c3e56f2e3c1d14d2016edcaf97e11

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-08 17:48

Reported

2023-05-08 17:51

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SaveExit.tiff C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\SaveExit.tiff => C:\Users\Admin\Pictures\SaveExit.tiff.LlFw C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\SearchSuspend.crw => C:\Users\Admin\Pictures\SearchSuspend.crw.LlFw C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\FormatResume.png => C:\Users\Admin\Pictures\FormatResume.png.RqpGD72 C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\Pictures\GetMove.tiff C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\GetMove.tiff => C:\Users\Admin\Pictures\GetMove.tiff.z2hI C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\MountRestart.png => C:\Users\Admin\Pictures\MountRestart.png.z2hI C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File renamed C:\Users\Admin\Pictures\MountStart.png => C:\Users\Admin\Pictures\MountStart.png.z2hI C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c810cb8df074b89.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c810cb8df074b89.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExpandMerge.zip C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\DenyRequest.ps1xml C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\EnterSync.xlsx C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ShowGroup.svgz C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UninstallCheckpoint.fon C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CloseRegister.dotm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ConvertInstall.wmv C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RequestConnect.mov C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RequestFormat.rmi C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SwitchDisable.crw C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\InitializeApprove.wmf C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\InitializeReset.mpg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\TestResolve.css C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UndoUninstall.png C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RenamePush.htm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RepairHide.DVR-MS C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files (x86)\6c810cb8df074b89.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\RequestRedo.emf C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UnblockRepair.csv C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\OutRename.pptm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ResetLock.php C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\ExitUnprotect.tif C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\DebugSplit.zip C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\MergeComplete.vdw C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\SendComplete.jpg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\UninstallExpand.xsl C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\WatchUnregister.htm C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\6c810cb8df074b89.tmp C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A
File opened for modification C:\Program Files\CopyInstall.jpg C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_61b32a82577a7ea823ff7303ab6b4283.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\lkt\..\Windows\lll\ba\..\..\system32\bdj\ebp\qeb\..\..\..\wbem\ald\q\vc\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x534 0x52c

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 52.182.141.63:443 tcp
RU 91.218.114.11:80 tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
RU 91.218.114.11:80 tcp
US 13.107.4.50:80 tcp
RU 91.218.114.11:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
US 52.152.110.14:443 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp

Files

memory/3408-133-0x00000000005C0000-0x000000000061E000-memory.dmp

memory/3408-137-0x00000000005C0000-0x000000000061E000-memory.dmp

memory/3408-139-0x00000000005C0000-0x000000000061E000-memory.dmp

memory/3408-143-0x00000000005C0000-0x000000000061E000-memory.dmp

C:\odt\DECRYPT-FILES.txt

MD5 247f8e1d7de8cbf1ed25d74b7ef15ba5
SHA1 d69ee414863c88f45188e24f72c89ee2cfa18af4
SHA256 c6cf8dafbdb98833c12636d421fcc5f090b6b6add1b5d54b7570190829f60ace
SHA512 1ba6e1916ebd7aa7aea310b91d61bcf36a160309d68c20a0e5864988b9fb3791022109d6a286d6a3a2240453ac59b46f613d5bea0a301c1cf0ec0a50c6b90a7e

memory/3408-953-0x00000000005C0000-0x000000000061E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_F747492EE9F84ABAA606E37CCE8A667D.dat

MD5 28efb3198ce375eb6a2745c828da0f68
SHA1 8365a1768984366f0dfc38656d26d7c699de57cf
SHA256 a4b505149cefaa505e4660964c0a649e99579cac69f3f4bcd3a95fa5228be2b0
SHA512 5c44764efe06217ba813912f8d4dace2df62473adfaa851d67f55db55828deafc06e882d45c00a9e1fdaa03a1ba5a4cf94c0527f410e561601d22ba583a57c5d