Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
218s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2023, 02:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe
Resource
win7-20230220-en
windows7-x64
12 signatures
600 seconds
Behavioral task
behavioral2
Sample
f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
15 signatures
600 seconds
General
-
Target
f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe
-
Size
129KB
-
MD5
3e6613fb7521062d41826e4460f7d630
-
SHA1
7136124383c127028e91946a7b1cb942088cf3d9
-
SHA256
f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32
-
SHA512
9cc6f870c2f64460231481f93d86fe0b2a4f2bcf98d4893faa0dacf239db56be4be460ae17aa8e8067d3c4e1220d405db2f5eba4a42583851069ea518d8526ac
-
SSDEEP
3072:VLbLpVIYbQf91G3im/2Ef07Jysg1n8Ovz4pt6YwSabakoEMQB/jS3fevYugrO6OL:VTpVPnx6aako0BSvmYBrrOu3SbuO06
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (10666) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ConvertToDebug.tiff f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Users\Admin\Pictures\WaitAdd.tiff f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-125.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-200_contrast-white.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Heart.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Cng.dll f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkNoDrop32x32.gif.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Lollipop.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.Primitives.dll f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files\Microsoft Office\root\Licenses\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24_altform-unplated.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-small.png f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\excelmui.msi.16.en-us.vreg.dat f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\#FILEENCRYPTED.txt f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.INF.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[A883F7AA2ED1B445].FAST f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2828 vssadmin.exe 4944 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4776 vssvc.exe Token: SeRestorePrivilege 4776 vssvc.exe Token: SeAuditPrivilege 4776 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1088 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2136 wrote to memory of 3448 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 77 PID 2136 wrote to memory of 3448 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 77 PID 3448 wrote to memory of 2828 3448 cmd.exe 79 PID 3448 wrote to memory of 2828 3448 cmd.exe 79 PID 2136 wrote to memory of 4880 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 104 PID 2136 wrote to memory of 4880 2136 f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe 104 PID 4880 wrote to memory of 4944 4880 cmd.exe 106 PID 4880 wrote to memory of 4944 4880 cmd.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe"C:\Users\Admin\AppData\Local\Temp\f0424f67134d4761a836bd18507de8a758b5b7204282cf14ad0be04e91f28f32.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4944
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:232
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILEENCRYPTED.txt1⤵PID:2980
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326B
MD534c68ebc25fb9fef0497ccd53dca874e
SHA131b57da007932acc122c1e99097d7f537b9f1ccc
SHA2560e66671e700d0423b7d5d1694be47f047f1c9062be7ea52e324955d01425a7db
SHA512c562e18d1fd178800816ed26d4341e770285db67bb435c3ad25ddc0ebf2162323338a15260ee84ffbea24002b7b9bbb76df1b0094ec29eab8522466dd7930c9b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize14KB
MD5d1526c611fbfa91ce5d14239ae65da65
SHA19a0e562796985467c8e64545427f13506a4e7487
SHA256167aa904fbe7aab5885a364596c3f01efca69badbb90ca8c2660ea3e46ec4ae2
SHA51294e5601e35a84ac3d8838ff2ee45c60a2072a5e030fdfbb6e518f731b88b56e0da4b002d34129598d64e8025274aef8a0e44ca82ddb32c8214073def3740105d
-
Filesize
326B
MD534c68ebc25fb9fef0497ccd53dca874e
SHA131b57da007932acc122c1e99097d7f537b9f1ccc
SHA2560e66671e700d0423b7d5d1694be47f047f1c9062be7ea52e324955d01425a7db
SHA512c562e18d1fd178800816ed26d4341e770285db67bb435c3ad25ddc0ebf2162323338a15260ee84ffbea24002b7b9bbb76df1b0094ec29eab8522466dd7930c9b