locky | b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

General

Target

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Size

169KB
MD5

98562209465bec53327e65649a2b8829
SHA1

3a47656ed3df213bd934aa01078a863568fe9f2b
SHA256

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
SHA512

c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3
SSDEEP

3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Score

10^/10

locky evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Music\!!Read_Me.CBF5C.html

Ransom Note

<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: [email protected] Reserve e-mail: [email protected] [email protected] Device ID: AAwX5gjLw4yNyEjLwEDLLh1RBZUQJFFLGhDMyITM3EENDlDM3UzNxEkN4YjQwMUQFRUQ0UkMGZUQwYzMDR0NBZUOEVER5ADM1kDRBJDR2UENyQ0MGFjNENjMEZkRGhTMFZkN3MzQEF0M4cjR1UUNEN0MGBTNEBDMCFUQ2cDOFVkMEVUOzkzQ0IDR5AzQDZEMEZUNBdTM2ATR2MkQCJUNyIENwAzM0EDN3EjQ2IzQ0YjNFJ0MxQkM1YTNChDN1U0QGNjRFNDOCRTOGBTQxETR1E0MFVkRFlzM5gDNyUkNzYjR2Q0QFNkMxATM4EDRwYjNyEEM2EUM4IURENEMCZjN2MURBZzM1kjNxIDRDNTQCFDMwYEO0QERwYjM1UkQyEENCJzQ5MTMwQjNwEkQ1YjNFdTO3Q0NBVUMChTRGZ0MxM0NxUDO1QTOBJTOEJkNxMkMGNTN2ATO0QjMFdzQyMUN5kTM0UTQDlTODNUM0EzNFV0N5YzMGVTMDJzQ3QEOEBjM5EzM0QTMENEOCljM2MjNwYkNBJTOxU0QygjQEJ0MBhDOGRUOygDR2YDRxI0NBZUQyUUQEVDOFZjQDNTQElTMBhjMCFjN1YENxYjRGlTN1YkRwIkMzQkNygDOFhjNBFzQ5E0NyQDMzUTNzQjRFF0NGJTQEVEMDJURGhjMFRjNDNUQ1UkMDVzQDRTQCVTRDNzMGljNEZDNDNzMGhDN2I0NzUTMxIzNykTNGNjQENzQ2QUQEZTMzIDM3EzMFV0MDhTQ1MDN0YkM0E0NxIjN0gzMBJUOyQjMGNzQCdTOFRERDN0QGBDM1I0N0ADR5I0NBljQGRUMyUENDZTMBVkN4YjQygjNFRjQyQTN3kTQyMzQCF0MzMDO1IzM0MzMyQTODFEM4E0QycDR0UEOxcTO3QURxAjR4kTMCFTRxMjQzEzNxITNwQUM4YjNFhzM5Y0M0ADOxADR3EEOyMjMxEUQFBjQwUTMDFEOGVTQClDM1gzQwcjRGVjN5MjQ1UDNzMkRGlzNzgjM5ADM1QjNFJ0QEJzN3E0QBZjR1MUM4M0Q2MjNzAjNCdzNDBDNFZUN1cTR3gDM3IkR5U0QxITN0E0MCRjN1EDO5UDO1AjNERDNzITOEBjMDhjQ3YTNEZERyYkM2MDOxAzM4UUM4U0MBJTOFRUQyYjNwYkM3ATMGNjMCBzNxYENzQDMDZjR4UjQ2Q0N0QUO5QERFJTNDJUO2IDMGhTNyYTNEFjQFFkN5gDOwQUMwEkN2QTNGdDN3EkQEFEO0YDMGhDMGNzNxUEM5UEMCFkQ0kDM2IkQ5kTMxUDM3YjNyMzMBJURBZDO1IDNBJUM5EjNEJUMCJEOFBDM1gjNBJTQCVTOzIUQzQDRxMUO0UEMxIzM1EDN3MjMwwyN2ADOxEzMBFTQzUUOFNDR4UDNChjMGJURCRkM2EkN4UDNGBjN5Q0Q1UUMBZEN1ATO2MUODVUMBVTRBljR5kTMDBzMEVkQ0ITQyYDOGNENFRkQEFUQFRTOBhDOCRURDBjM3Q0MGNEOCFjRxQkMDRTM5UjNBFUR2UDM4YzMFNTQzMTQBBTMBRUQCNjR1MkRGJTQzQDOzgzM5MERDR0NEJjM1QDM5AjNCRjRxETODljQ5gDOCZkM5cDO4IURzYjM1E0NyUUQ5YkRDFDOBRERyQUR1ATR4ADNGZEO5YkMxAjQFFTRGVkNDRTRGdTNEVER5ETMGREN5UkN1QDNzMTQDJTMyIERDJTO0IUNGlTMGFjQENjMENTODFjN1YzMEREMFNkMwU0NGV0M2gjQDNTOCNUMzETOxcTNxUkRxU0QwYkMDFTNykzMEJzMyQENxYTO3gTQGRURGJ0NzcTQzETOFlDOxITNyUzN1IUOBNUQBJUO5EENEZUN2MkNEFkN3YUN2QkRFdTQBVDOCBjRGJEO5QjRBNTQ5UTNFBDMGVjMzgzQyMUR3kDNGVkN4gDR0ITM3UEOBNkNFFTQyEDNDZERzUkNGRTRzgzMzYjRDJjNxUDM0UTNxYkN1cTRGFDNDF0QBNDN3IEOEJER2EUQ0EjRwQTR4UUMwUkM2UDR2cDM5kjM3gjR0MTQFBDO4YTOxUzQEFDRBJDNGlzQ3EzMyIjM2cDODZkR0MTNwQjN0I0MyMTQDVDRwMTNGhjQxUUQGhjR4MDN1gzQBZTQ5QjR5UUR0YkN5kjM5EDM3YjMFZTNFBjQ2MUNGBDNyYkQzIERCNkQGFjNBFEMyQUO0UEOwEkRGhDM2ETMwYEN5YTREljN3YkMzUkQzYkRCljM3ITN4ITMCZDMwUURDJzNGhTQ2IDR1AjRxkzQ4QTR0EzNDZEOxQzNDNDR2EUMEZERCdTR5kTQyY0NCFjNFVkREREMFNTRFFkRBZTQCJzN5gzM3cDN0UTR2gDNwQDMwUkMwAjR1EkM5YzMzcTQwATRzUTR1IEM2MTN1YUO2ATMCdjM4MDRGVkRxgzM2MUOzgDOwgzMwQTOxY0QxYkNxMkMCNjM1QUM2czM4IkRCdTQDZTMEdjMDBTMyQzNyIjMwMkMBZUN0QUR1UEO3UEM1MjMFFjN3IENwMkMFJER4MjQ5gjN0UTQwIjR4IDNENEO0UUO4kzQ4EUQwkTO2cTMxkDM4EER2MkN5UURFNzMwMTMzMUQyQjNBlTMEVDMCJTNyADN4QzNBdTQEBTQElzMBFTOwATQ3MjNBRkM1cjR1YUM4MTNzMzMyAzM5cDRwkzNBJzM3ATOBNkR0cjQykzQ4QkQDhTMFRUO2EUN

Emails

[email protected]

e-mail: [email protected] [email protected] Device

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4656 bcdedit.exe
4692 bcdedit.exe
Renames multiple (164) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4664 netsh.exe

pid	process
4656	bcdedit.exe
4692	bcdedit.exe

pid	process
4664	netsh.exe

Drops file in Program Files directory 1 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4780 vssadmin.exe

pid	process
4780	vssadmin.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3988	taskkill.exe
1264	taskkill.exe
4684	taskkill.exe
1588	taskkill.exe
1912	taskkill.exe
224	taskkill.exe
1352	taskkill.exe
3492	taskkill.exe
1084	taskkill.exe
3540	taskkill.exe
1856	taskkill.exe
3068	taskkill.exe
4024	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5712 PING.EXE

pid	process
5712	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

pid	process
4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5008	WMIC.exe
Token: SeSecurityPrivilege	5008	WMIC.exe
Token: SeTakeOwnershipPrivilege	5008	WMIC.exe
Token: SeLoadDriverPrivilege	5008	WMIC.exe
Token: SeSystemProfilePrivilege	5008	WMIC.exe
Token: SeSystemtimePrivilege	5008	WMIC.exe
Token: SeProfSingleProcessPrivilege	5008	WMIC.exe
Token: SeIncBasePriorityPrivilege	5008	WMIC.exe
Token: SeCreatePagefilePrivilege	5008	WMIC.exe
Token: SeBackupPrivilege	5008	WMIC.exe
Token: SeRestorePrivilege	5008	WMIC.exe
Token: SeShutdownPrivilege	5008	WMIC.exe
Token: SeDebugPrivilege	5008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5008	WMIC.exe
Token: SeRemoteShutdownPrivilege	5008	WMIC.exe
Token: SeUndockPrivilege	5008	WMIC.exe
Token: SeManageVolumePrivilege	5008	WMIC.exe
Token: 33	5008	WMIC.exe
Token: 34	5008	WMIC.exe
Token: 35	5008	WMIC.exe
Token: 36	5008	WMIC.exe
Token: SeBackupPrivilege	1468	vssvc.exe
Token: SeRestorePrivilege	1468	vssvc.exe
Token: SeAuditPrivilege	1468	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5008	WMIC.exe
Token: SeSecurityPrivilege	5008	WMIC.exe
Token: SeTakeOwnershipPrivilege	5008	WMIC.exe
Token: SeLoadDriverPrivilege	5008	WMIC.exe
Token: SeSystemProfilePrivilege	5008	WMIC.exe
Token: SeSystemtimePrivilege	5008	WMIC.exe
Token: SeProfSingleProcessPrivilege	5008	WMIC.exe
Token: SeIncBasePriorityPrivilege	5008	WMIC.exe
Token: SeCreatePagefilePrivilege	5008	WMIC.exe
Token: SeBackupPrivilege	5008	WMIC.exe
Token: SeRestorePrivilege	5008	WMIC.exe
Token: SeShutdownPrivilege	5008	WMIC.exe
Token: SeDebugPrivilege	5008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5008	WMIC.exe
Token: SeRemoteShutdownPrivilege	5008	WMIC.exe
Token: SeUndockPrivilege	5008	WMIC.exe
Token: SeManageVolumePrivilege	5008	WMIC.exe
Token: 33	5008	WMIC.exe
Token: 34	5008	WMIC.exe
Token: 35	5008	WMIC.exe
Token: 36	5008	WMIC.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4204 wrote to memory of 2812	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2812	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 260	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 260	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4276	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4276	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3684	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3684	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1064	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1064	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2812 wrote to memory of 4780	2812	cmd.exe	vssadmin.exe
PID 2812 wrote to memory of 4780	2812	cmd.exe	vssadmin.exe
PID 4276 wrote to memory of 4656	4276	cmd.exe	bcdedit.exe
PID 4276 wrote to memory of 4656	4276	cmd.exe	bcdedit.exe
PID 1064 wrote to memory of 4664	1064	cmd.exe	netsh.exe
PID 1064 wrote to memory of 4664	1064	cmd.exe	netsh.exe
PID 3684 wrote to memory of 4692	3684	cmd.exe	bcdedit.exe
PID 3684 wrote to memory of 4692	3684	cmd.exe	bcdedit.exe
PID 260 wrote to memory of 5008	260	cmd.exe	WMIC.exe
PID 260 wrote to memory of 5008	260	cmd.exe	WMIC.exe
PID 4204 wrote to memory of 4696	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4696	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4696	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1184	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1184	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1184	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4356	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4356	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4356	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3352	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3352	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3352	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4788	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4788	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 4788	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1872	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1872	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 1872	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 976	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 976	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 976	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2376	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2376	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2376	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3816	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3816	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3816	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3828	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3828	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3828	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3368	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3368	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3368	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3584	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3584	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 3584	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2112	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2112	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4204 wrote to memory of 2112	4204	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2112 wrote to memory of 1856	2112	cmd.exe	taskkill.exe
PID 2112 wrote to memory of 1856	2112	cmd.exe	taskkill.exe
PID 2112 wrote to memory of 1856	2112	cmd.exe	taskkill.exe
PID 3816 wrote to memory of 3068	3816	cmd.exe	taskkill.exe
PID 3816 wrote to memory of 3068	3816	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4780

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c wmic shadowcopy delete /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:260

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4656

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state off
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mys*
2⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mys*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im post*
2⤵
PID:3584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im post*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im vee*
2⤵
PID:3368

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im vee*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im python*
2⤵
PID:3828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im python*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im java*
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im java*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im apache*
2⤵
PID:2376

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im apache*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im tomcat*
2⤵
PID:976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tomcat*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im sql*
2⤵
PID:1872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im Exchange*
2⤵
PID:4788

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Exchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im excel*
2⤵
PID:3352

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im winword*
2⤵
PID:4356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im powerpnt*
2⤵
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powerpnt*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im note*
2⤵
PID:4696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im note*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
2⤵
PID:5668

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:5712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\!!Read_Me.CBF5C.html
Filesize
4KB

MD5
4f72901ab4e11b9835d9055f2ec1418e

SHA1
68f8bbf133682edab9c0d47d0c4c9163e84802ed

SHA256
854cd078b76f87f92a9f63e1d79852e4abab5fd03df0d40981c5847973083f66

SHA512
55dfc457e2f4fdd644ef7c3165e9a71cb86feaf79c07c2cf5ed60599cbf18d5cdc2a2d24fad4d1a09c7d796f3ef1e16e633e42532688afa79daed362c72a4df5

Download Submit
memory/4204-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads