Malware Analysis Report

2024-09-11 01:39

Sample ID 231013-zycgzscc86
Target malware.exe
SHA256 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
Tags
agenda persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

Threat Level: Known bad

The file malware.exe was found to be: Known bad.

Malicious Activity Summary

agenda persistence ransomware

Agenda Ransomware

Agenda family

Deletes shadow copies

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-10-13 21:07

Signatures

Agenda family

agenda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 21:07

Reported

2023-10-13 21:10

Platform

win10v2004-20230915-en

Max time kernel

175s

Max time network

180s

Command Line

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

Signatures

Agenda Ransomware

ransomware agenda

Deletes shadow copies

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\malware.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Users\Public\enc.exe N/A
N/A N/A C:\Users\Public\enc.exe N/A
N/A N/A C:\Users\Public\enc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe" C:\Users\Admin\AppData\Local\Temp\malware.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\Q: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\S: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\X: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\Z: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\J: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\R: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\I: C:\Users\Public\enc.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OnHnnBvUej-RECOVER-README.txt C:\Users\Public\enc.exe N/A
File created C:\Program Files\OnHnnBvUej-RECOVER-README.txt C:\Users\Public\enc.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Public\enc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Public\enc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Users\Public\enc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Public\enc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\malware.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\enc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\enc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\enc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\malware.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\malware.exe C:\Windows\System32\cmd.exe
PID 1072 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1072 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2132 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\malware.exe C:\Windows\system32\svchost.exe
PID 4972 wrote to memory of 812 N/A C:\Windows\system32\svchost.exe C:\Users\Public\enc.exe
PID 4972 wrote to memory of 812 N/A C:\Windows\system32\svchost.exe C:\Users\Public\enc.exe
PID 4972 wrote to memory of 4552 N/A C:\Windows\system32\svchost.exe C:\Users\Public\enc.exe
PID 4972 wrote to memory of 4552 N/A C:\Windows\system32\svchost.exe C:\Users\Public\enc.exe
PID 4552 wrote to memory of 4300 N/A C:\Users\Public\enc.exe C:\Windows\System32\cmd.exe
PID 4552 wrote to memory of 4300 N/A C:\Users\Public\enc.exe C:\Windows\System32\cmd.exe
PID 812 wrote to memory of 2280 N/A C:\Users\Public\enc.exe C:\Windows\System32\cmd.exe
PID 812 wrote to memory of 2280 N/A C:\Users\Public\enc.exe C:\Windows\System32\cmd.exe
PID 4300 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4300 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2280 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2280 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4972 wrote to memory of 1824 N/A C:\Windows\system32\svchost.exe C:\Users\Public\enc.exe
PID 4972 wrote to memory of 1824 N/A C:\Windows\system32\svchost.exe C:\Users\Public\enc.exe
PID 1824 wrote to memory of 1532 N/A C:\Users\Public\enc.exe C:\Windows\System32\cmd.exe
PID 1824 wrote to memory of 1532 N/A C:\Users\Public\enc.exe C:\Windows\System32\cmd.exe
PID 1532 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1532 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Users\Admin\AppData\Local\Temp\malware.exe

"C:\Users\Admin\AppData\Local\Temp\malware.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Users\Public\enc.exe

"C:\Users\Public\enc.exe"

C:\Users\Public\enc.exe

"C:\Users\Public\enc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Users\Public\enc.exe

"C:\Users\Public\enc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Public\pwndll.dll

MD5 e966c38c5b1a05d0bd86eb0edc1d3b84
SHA1 f10443e13b82c93f203c0428a357205aa55f2dee
SHA256 28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab
SHA512 6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

C:\Users\Public\pwndll.dll

MD5 e966c38c5b1a05d0bd86eb0edc1d3b84
SHA1 f10443e13b82c93f203c0428a357205aa55f2dee
SHA256 28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab
SHA512 6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

C:\Users\Public\enc.exe

MD5 a7ab0969bf6641cd0c7228ae95f6d217
SHA1 002971b6d178698bf7930b5b89c201750d80a07e
SHA256 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512 7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

C:\Users\Public\enc.exe

MD5 a7ab0969bf6641cd0c7228ae95f6d217
SHA1 002971b6d178698bf7930b5b89c201750d80a07e
SHA256 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512 7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

C:\Users\Public\enc.exe

MD5 a7ab0969bf6641cd0c7228ae95f6d217
SHA1 002971b6d178698bf7930b5b89c201750d80a07e
SHA256 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512 7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\enc.exe

MD5 a7ab0969bf6641cd0c7228ae95f6d217
SHA1 002971b6d178698bf7930b5b89c201750d80a07e
SHA256 117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512 7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\OnHnnBvUej-RECOVER-README.txt

MD5 3a29ccf8fcbac5d1797999d3699375b1
SHA1 9993778053593d2704992f9e9cd7b79f4bd4a244
SHA256 534b085697b8406738b3281c1ca067cc90290ca8d44d2608eecdf4c0626c7e16
SHA512 99c1c76acd7e6ba366505000a21dc77400cb5531203f658d311d4b3926db90f331b870bb4d0bd6cd7731a41657b97d62feedb6fab74cee602c8fd91cc1d73600