locky | b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

General

Target

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Size

169KB
MD5

98562209465bec53327e65649a2b8829
SHA1

3a47656ed3df213bd934aa01078a863568fe9f2b
SHA256

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
SHA512

c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3
SSDEEP

3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Score

10^/10

locky evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Music\!!Read_Me.F1387.html

Ransom Note

<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: [email protected] Reserve e-mail: [email protected] [email protected] Device ID: ==AAA8lM3EjLw4yNyEjLwEDLBd1QQRVVE1ELFRzQGJTRBVTM1YkQ5ITQ1IjRwQUO5UkN2MjM4QDO2E0Q2YjNDBTQDZDOwYzMxEUN3UkRDZDR5YjQ4gDNzEDO4IDOEJDR3QkNzYUM3QzMxYTMzIkNBBzMzYTQEZzNFJ0N0EjQ4UEMEBTN1EkNwUDMFFENCNENyMkMyUUOFF0N1UTMzQEM1kzMEJEOCZzNDdzQxYDO1MDMyIzMDNURxEkMFVkN2YjNBhzQCFDO0UUODFTQDhDOCljN5EjM5YUMzEDR2gDOzkjR5EENEZDR0czQEREM5YzQCRTQElTNGNTR2QjN0I0QwcDM1UTMCFEN1E0QFFjQ2E0Q1MDM4AzNEdjMCRjQ5ATQ3kDM3YTN3IkNDdzN2QDNFNTRzcDNwgDMFhTREZDRwETMGNEO5IDN5gjNzYjR0UTMBZkMDRTM0IUO2QzM5cTN4MjRwIjNwM0NyUkR3YTQ4YTOEZ0NFFERGNTMGFUR0IUMEdzNDJkM4UzNCZENDNjMzYEODVER3UEN0UzNyEENBZzQ1UkR5IjN3EjR5QUODNUQCJkN0ITOwIER3cTN1IDNGhzMwQjMGZzMyY0M5QUMBljMCVUODRzQBZjMzYkM5QEN2YEN2kjQ0QTM4cDO2YkRxMUOGJjRwkTQDNUQCVERFZzMBNUO5MjM3EUO5QkQygTM5QER1I0MBVzN3ITOyMUQygzNzUUODJ0QGhTO1gjQBZkMzMUMBZ0QGZjMzM0Q2YTQFhzNzYjMBJkQ1AjN4EUMEJTQxETRBRkM4ADM0gTOCRTO4EjR5YjQ5cTNyATR4AjQwIkQxkTNBNURwIER1UDO1QTM4EkMwYEMDVEREdjQyYDOFZTM1IUNGJDM1UURDZDR2gTMCNURwUzQBJTMFVDMzYTN3MERzUjR3MDMDVDM1IkRCRUQ1kTN5UkQwUUQyQ0N4EkRFVzMGNTOxQzQ5MjQwUTOGRkMENDOxIkQBdDMGRjNxYDNzYjMzEUNyQEM3QUR0MTN1QURzM0Q1ITNzMUO1MTOGN0NDJEM0UkRDZTQwITOyADR0E0N0UUQ4UzQ1AjRFljQ2IUM2gTN2YjRykjNBJkRxYTQBZ0NyI0N1QzNEdzQzQ0QBRTQ1QENzQjNykTM1MDR3MjRzgzM5czQ5MDRzkjQ4QDOFJTN4U0QEVkN5gTQFdTNDJDNwADN0AjR2ATMBF0NyEUQ1IkN2cTRDlDM2UzN2EENFBjNFhDOCVkM1MUN4YzQwgDO5kTM1MUODVENBhTR0YjM4M0NBRDMDJ0QBZjM0IUR1czM3IjNxYDR4ETRxcDN2ETQ0QDN3MUQFFDN1UERxIzQDRTR5MEOyQjQ2UUMBRDNFZTMyEkM2MkN0MjM0U0MzIzQ2MTM4wSO3MDMDlzMzQkM3UkRGRjNFVUNyYkQwIUOGJkMDhzM2MTN0YTNFVEMxQTMCJzNBVTQDNTNBFjQGFERBFjMDlTRxMjMyIjNxEERxATRDFER5UUREdTOCFjMFdDOzIjM5QER5QjMxkzQBlDOFJTO0YUMFZkNERTMzgjQCVDMzkzQDFkNDdjM2kTOxEEM2kjQ5gjN1MDNyMzN0YDOyMjNCBTQ3kDO3MDMCFTM3UjRFdDN4YTNzMkMwgjQEBjQ1gTNzcDNzIzNwAjRFZTQGFjRBFzQCZDN2UEMwYEMxIjR3UURxgDNCJzNDJzN4QUNzAjQBRkMBZTQ1EjMFBDOzkDOBZkMyEUNDJTOzMDOFVkMzYTQ2MkQ2EURBdjRxQjQGljRCljRDNUN3ETO5MERxIkRykjQxkTQzMkMDVUQ1MzQ5IDN3QkM2ATM0YkQEFTNBJkMBlzN3UkMzQ0QzczMCJENFNERCV0M3MjR5gjN3Y0N1Q0M3YkNEljR1YUNzQTRDhDMyIDNzIDM5QDM0MUQ3MTOBVERCRkNBFEODlDNyMDO0IjQ5MkNDZDRGNTO3ITR5MzNBRTMBZkQ4ITQ1Y0MFlTM1YjQDVTQ5gTNBlTRwITQ4EDN1EEMwIDN0kDO0IjN1MkNzgzMCJDRyQUM2UDRCRUOyI0QENjRDVzQ4ETRBVDN0YkN5MUNxEDM1M0N5QzMEFjQDFERyYTN5EUOGZUOFRkR4kjN0YDNyMjRxMkQ3gjQ4gDR2ADMyMENENEMDRTN2kjRwM0MEZDR5ATRDBDM2ATQwATR3MTRxcDN1MUQFVUQBVUM1E0MxQUQ1ATR2YDR4IjN2UTR1YzMxUEN4YEOCREMGhTQFJjQDRkQEJzNEZjR2cjQFFTOFNjR3kjMEljNCRTOFF0NBZkNwEkMwEzMwYTM1QTQyUUM3kTQFJzM2YEMGFUM1IjNyITRFJjREVzQDdzMDZTMDdTM2QzNCNEMxQkMFVDN1czMGZ0QygDNCJjM2QkR2YDM0QjRxQ0QGRUMEdjQCRkRBJUR4UkNGVzMEJENxgDOzUUQBJkN1czMDlTMxgzNxUjMFVTOCNDREFDREdTR0IEMyMzMGVDOykTO3IjNFZjRyQTR2UzNwAzM4EUODFER2kDMEhDR1YUQCFjNFNEM5EUOzITRBFDO1YzNwUjM4E0MFZTRzYjQwM0N1ADOFNTQGJTOGZUQyQzQ4YjM5ATQCdjR0IDNFlDN2YUNykzN1ITR5IjM5MDNDhzM1gTO4QjQxkTO2YzQ0gjRBJjNCNzQxYER0Q0NygjRBJ0Q2QTQzQTQ5QERzEzMDBjMFJzQ2ITNEhzQ5kDRxEDM5YzQ0UUO5AjRDRER5YzMzUUMBV0QzM0M

Emails

[email protected]

e-mail: [email protected] [email protected] Device

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1252 bcdedit.exe
4160 bcdedit.exe
Renames multiple (132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3644 netsh.exe

pid	process
1252	bcdedit.exe
4160	bcdedit.exe

pid	process
3644	netsh.exe

Drops file in Program Files directory 1 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3932 vssadmin.exe

pid	process
3932	vssadmin.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4708	taskkill.exe
4872	taskkill.exe
3612	taskkill.exe
3416	taskkill.exe
3816	taskkill.exe
3996	taskkill.exe
5032	taskkill.exe
4044	taskkill.exe
208	taskkill.exe
4140	taskkill.exe
2088	taskkill.exe
3316	taskkill.exe
1528	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4644 PING.EXE

pid	process
4644	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

pid	process
692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: 36	1600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: 36	1600	WMIC.exe
Token: SeBackupPrivilege	5000	vssvc.exe
Token: SeRestorePrivilege	5000	vssvc.exe
Token: SeAuditPrivilege	5000	vssvc.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 692 wrote to memory of 4388	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4388	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2568	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2568	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 536	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 536	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4996	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4996	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2184	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2184	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2568 wrote to memory of 1600	2568	cmd.exe	WMIC.exe
PID 2568 wrote to memory of 1600	2568	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3644	2184	cmd.exe	netsh.exe
PID 2184 wrote to memory of 3644	2184	cmd.exe	netsh.exe
PID 4388 wrote to memory of 3932	4388	cmd.exe	vssadmin.exe
PID 4388 wrote to memory of 3932	4388	cmd.exe	vssadmin.exe
PID 4996 wrote to memory of 4160	4996	cmd.exe	bcdedit.exe
PID 4996 wrote to memory of 4160	4996	cmd.exe	bcdedit.exe
PID 536 wrote to memory of 1252	536	cmd.exe	bcdedit.exe
PID 536 wrote to memory of 1252	536	cmd.exe	bcdedit.exe
PID 692 wrote to memory of 4136	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4136	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4136	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2100	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2100	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2100	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1252	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1252	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1252	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1236	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1236	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1236	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3600	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3600	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3600	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1840	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1840	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1840	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1372	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1372	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 1372	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3120	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3120	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3120	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4472	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4472	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4472	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2768	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2768	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 2768	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 5096	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 5096	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 5096	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4220	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4220	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 4220	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3088	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3088	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 692 wrote to memory of 3088	692	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 1252 wrote to memory of 2088	1252	cmd.exe	taskkill.exe
PID 3088 wrote to memory of 208	3088	cmd.exe	taskkill.exe
PID 1252 wrote to memory of 2088	1252	cmd.exe	taskkill.exe
PID 1252 wrote to memory of 2088	1252	cmd.exe	taskkill.exe
PID 3088 wrote to memory of 208	3088	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3932

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c wmic shadowcopy delete /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1252

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state off
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:3644

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im note*
2⤵
PID:4136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im note*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mys*
2⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mys*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im post*
2⤵
PID:4220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im post*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im vee*
2⤵
PID:5096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im vee*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im python*
2⤵
PID:2768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im python*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im java*
2⤵
PID:4472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im java*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im apache*
2⤵
PID:3120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im apache*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im tomcat*
2⤵
PID:1372

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tomcat*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im sql*
2⤵
PID:1840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im Exchange*
2⤵
PID:3600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Exchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im excel*
2⤵
PID:1236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im winword*
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im powerpnt*
2⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powerpnt*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
2⤵
PID:3452

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\!!Read_Me.F1387.html

Filesize
4KB

MD5
b887691c44edd496bba24c21fb557132

SHA1
11f8d6fb7297220fcb75e457af98c5714079cd8b

SHA256
6d491b4ea973e937c7624c8b9e8898cff2ddd340878efc2b7db8ae0d8393de20

SHA512
b69e54e8260949dcc7eda27a5e3ece48dbeb692af1e23740a18c2ce5a607b80dba7d257445048b7d583b0e8705807921fe527f841184fadbf124075b7e83e52d

Download Submit
memory/692-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads