agenda | 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

Analysis

max time kernel
175s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.exe
Size

7.7MB
MD5

a7ab0969bf6641cd0c7228ae95f6d217
SHA1

002971b6d178698bf7930b5b89c201750d80a07e
SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512

7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
SSDEEP

49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE

Score

10^/10

agenda persistence ransomware

Malware Config

Extracted

Family

agenda

Attributes

company_id
OnHnnBvUej
note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21

rsa_pubkey.plain

Extracted

Path

C:\ProgramData\OnHnnBvUej-RECOVER-README.txt

Family

agenda

Ransom Note

-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

malware.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation malware.exe
Executes dropped EXE 4 IoCs

Processes:

svchost.exeenc.exeenc.exeenc.exe

pid process

4972 svchost.exe
812 enc.exe
4552 enc.exe
1824 enc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	malware.exe

pid	process
4972	svchost.exe
812	enc.exe
4552	enc.exe
1824	enc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

malware.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe"	malware.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exeenc.exe

description	ioc	process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\H:	enc.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\O:	enc.exe
File opened (read-only)	\??\Q:	enc.exe
File opened (read-only)	\??\S:	enc.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\W:	enc.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\V:	enc.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	enc.exe
File opened (read-only)	\??\X:	enc.exe
File opened (read-only)	\??\Z:	enc.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\A:	enc.exe
File opened (read-only)	\??\J:	enc.exe
File opened (read-only)	\??\R:	enc.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\U:	enc.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\G:	enc.exe
File opened (read-only)	\??\I:	enc.exe
File opened (read-only)	\??\E:	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

enc.exe

description	ioc	process
File created	C:\Program Files (x86)\OnHnnBvUej-RECOVER-README.txt	enc.exe
File created	C:\Program Files\OnHnnBvUej-RECOVER-README.txt	enc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

4828 vssadmin.exe
1300 vssadmin.exe
2328 vssadmin.exe
4112 vssadmin.exe

pid	process
4828	vssadmin.exe
1300	vssadmin.exe
2328	vssadmin.exe
4112	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

enc.exeenc.exeenc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-492 = "India Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-572 = "China Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	enc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

malware.exe

pid	process
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe
2132	malware.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

malware.exevssvc.exesvchost.exeenc.exeenc.exesvchost.exeenc.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2132	malware.exe
Token: SeBackupPrivilege	4672	vssvc.exe
Token: SeRestorePrivilege	4672	vssvc.exe
Token: SeAuditPrivilege	4672	vssvc.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeAuditPrivilege	1932	svchost.exe
Token: SeDebugPrivilege	812	enc.exe
Token: SeDebugPrivilege	4552	enc.exe
Token: SeAuditPrivilege	928	svchost.exe
Token: SeAuditPrivilege	928	svchost.exe
Token: SeDebugPrivilege	1824	enc.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe
Token: SeAuditPrivilege	2712	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware.execmd.exesvchost.exeenc.exeenc.execmd.execmd.exeenc.execmd.exe

description	pid	process	target process
PID 2132 wrote to memory of 1072	2132	malware.exe	cmd.exe
PID 2132 wrote to memory of 1072	2132	malware.exe	cmd.exe
PID 1072 wrote to memory of 2328	1072	cmd.exe	vssadmin.exe
PID 1072 wrote to memory of 2328	1072	cmd.exe	vssadmin.exe
PID 2132 wrote to memory of 4972	2132	malware.exe	svchost.exe
PID 4972 wrote to memory of 812	4972	svchost.exe	enc.exe
PID 4972 wrote to memory of 812	4972	svchost.exe	enc.exe
PID 4972 wrote to memory of 4552	4972	svchost.exe	enc.exe
PID 4972 wrote to memory of 4552	4972	svchost.exe	enc.exe
PID 4552 wrote to memory of 4300	4552	enc.exe	cmd.exe
PID 4552 wrote to memory of 4300	4552	enc.exe	cmd.exe
PID 812 wrote to memory of 2280	812	enc.exe	cmd.exe
PID 812 wrote to memory of 2280	812	enc.exe	cmd.exe
PID 4300 wrote to memory of 4112	4300	cmd.exe	vssadmin.exe
PID 4300 wrote to memory of 4112	4300	cmd.exe	vssadmin.exe
PID 2280 wrote to memory of 4828	2280	cmd.exe	vssadmin.exe
PID 2280 wrote to memory of 4828	2280	cmd.exe	vssadmin.exe
PID 4972 wrote to memory of 1824	4972	svchost.exe	enc.exe
PID 4972 wrote to memory of 1824	4972	svchost.exe	enc.exe
PID 1824 wrote to memory of 1532	1824	enc.exe	cmd.exe
PID 1824 wrote to memory of 1532	1824	enc.exe	cmd.exe
PID 1532 wrote to memory of 1300	1532	cmd.exe	vssadmin.exe
PID 1532 wrote to memory of 1300	1532	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Public\enc.exe
"C:\Users\Public\enc.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4828

C:\Users\Public\enc.exe
"C:\Users\Public\enc.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4112

C:\Users\Public\enc.exe
"C:\Users\Public\enc.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1300

C:\Users\Admin\AppData\Local\Temp\malware.exe
"C:\Users\Admin\AppData\Local\Temp\malware.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OnHnnBvUej-RECOVER-README.txt

Filesize
1KB

MD5
3a29ccf8fcbac5d1797999d3699375b1

SHA1
9993778053593d2704992f9e9cd7b79f4bd4a244

SHA256
534b085697b8406738b3281c1ca067cc90290ca8d44d2608eecdf4c0626c7e16

SHA512
99c1c76acd7e6ba366505000a21dc77400cb5531203f658d311d4b3926db90f331b870bb4d0bd6cd7731a41657b97d62feedb6fab74cee602c8fd91cc1d73600

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit