033b4950a8f249b20eb86ec6f8f2ea0a1567bb164289d1aa7fb0ba51f9bbe46c

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29-11-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64CO.exe
Size

1.2MB
MD5

a80b79de02d6881d5e54afcefa38298a
SHA1

e0d3e2612a757ff5be818b114028a0e4bb562bc5
SHA256

033b4950a8f249b20eb86ec6f8f2ea0a1567bb164289d1aa7fb0ba51f9bbe46c
SHA512

1fbe52a0086a33a98e48f501c669f3a9e82b5795550702eb61ccc281c77ba29fe217a5897b6caf55582ca1c16d062a2d3219a596d4372c70782bc49499e0ed4f
SSDEEP

24576:FCLKd8jHzb9904e43wa2SZ6Es9S+Nm0m:4K099ReumEwS+

Score

9^/10

evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1304	bcdedit.exe
1944	bcdedit.exe

Renames multiple (916) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1964	wbadmin.exe
2176	wbadmin.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.keversen	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.keversen	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.keversen	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.keversen	64CO.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	64CO.exe

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\64CO.exe\" e"	64CO.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2085049433-1067986815-1244098655-1000\desktop.ini	64CO.exe

Enumerates connected drives 3 TTPs 39 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	64CO.exe
File opened (read-only)	\??\J:	64CO.exe
File opened (read-only)	\??\Q:	64CO.exe
File opened (read-only)	\??\W:	64CO.exe
File opened (read-only)	\??\X:	64CO.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\I:	64CO.exe
File opened (read-only)	\??\M:	64CO.exe
File opened (read-only)	\??\N:	64CO.exe
File opened (read-only)	\??\Z:	64CO.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\Y:	64CO.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\O:	64CO.exe
File opened (read-only)	\??\R:	64CO.exe
File opened (read-only)	\??\S:	64CO.exe
File opened (read-only)	\??\D:	64CO.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\G:	64CO.exe
File opened (read-only)	\??\P:	64CO.exe
File opened (read-only)	\??\V:	64CO.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\A:	64CO.exe
File opened (read-only)	\??\E:	64CO.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\B:	64CO.exe
File opened (read-only)	\??\L:	64CO.exe
File opened (read-only)	\??\U:	64CO.exe
File opened (read-only)	\??\F:	64CO.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\K:	64CO.exe
File opened (read-only)	\??\T:	64CO.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	64CO.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\ac956b95-7128-41eb-9583-7cb00455c5ca.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\8191d76a-2c1a-4dfd-a86d-8cd114eaedad.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	64CO.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	64CO.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.keversen	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	64CO.exe
File opened for modification	C:\Windows\System32\config\SECURITY	64CO.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.keversen	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.keversen	64CO.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	64CO.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\SAM	64CO.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	64CO.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.keversen	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	64CO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5d88ea6a-c342-44e4-a674-4ec3dda0554e	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	64CO.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5d88ea6a-c342-44e4-a674-4ec3dda0554e.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\ac956b95-7128-41eb-9583-7cb00455c5ca.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	64CO.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\8191d76a-2c1a-4dfd-a86d-8cd114eaedad	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5d88ea6a-c342-44e4-a674-4ec3dda0554e.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	64CO.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.keversen	64CO.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.keversen	64CO.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	64CO.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	64CO.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\HST10.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santarem.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Edmonton.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Edmonton	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius	64CO.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guyana	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Minsk	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Manaus	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.inprocess	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.keversen	64CO.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn.inprocess	64CO.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	64CO.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	64CO.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	64CO.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	64CO.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	64CO.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.keversen	64CO.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.keversen	64CO.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.keversen	64CO.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	64CO.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	64CO.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	64CO.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	64CO.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	64CO.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	64CO.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	64CO.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	64CO.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo	64CO.exe
File opened for modification	C:\Windows\Panther\setupinfo.keversen	64CO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2484	vssadmin.exe
2396	vssadmin.exe
2968	vssadmin.exe
2516	vssadmin.exe
2096	vssadmin.exe
2276	vssadmin.exe
2992	vssadmin.exe
2736	vssadmin.exe
2684	vssadmin.exe
3012	vssadmin.exe
2028	vssadmin.exe
2912	vssadmin.exe
2672	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe
1764	64CO.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	2160	vssvc.exe
Token: SeRestorePrivilege	2160	vssvc.exe
Token: SeAuditPrivilege	2160	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1876	wmic.exe
Token: SeSecurityPrivilege	1876	wmic.exe
Token: SeTakeOwnershipPrivilege	1876	wmic.exe
Token: SeLoadDriverPrivilege	1876	wmic.exe
Token: SeSystemProfilePrivilege	1876	wmic.exe
Token: SeSystemtimePrivilege	1876	wmic.exe
Token: SeProfSingleProcessPrivilege	1876	wmic.exe
Token: SeIncBasePriorityPrivilege	1876	wmic.exe
Token: SeCreatePagefilePrivilege	1876	wmic.exe
Token: SeBackupPrivilege	1876	wmic.exe
Token: SeRestorePrivilege	1876	wmic.exe
Token: SeShutdownPrivilege	1876	wmic.exe
Token: SeDebugPrivilege	1876	wmic.exe
Token: SeSystemEnvironmentPrivilege	1876	wmic.exe
Token: SeRemoteShutdownPrivilege	1876	wmic.exe
Token: SeUndockPrivilege	1876	wmic.exe
Token: SeManageVolumePrivilege	1876	wmic.exe
Token: 33	1876	wmic.exe
Token: 34	1876	wmic.exe
Token: 35	1876	wmic.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2992	1764	64CO.exe	28
PID 1764 wrote to memory of 2992	1764	64CO.exe	28
PID 1764 wrote to memory of 2992	1764	64CO.exe	28
PID 1764 wrote to memory of 2968	1764	64CO.exe	33
PID 1764 wrote to memory of 2968	1764	64CO.exe	33
PID 1764 wrote to memory of 2968	1764	64CO.exe	33
PID 1764 wrote to memory of 2736	1764	64CO.exe	35
PID 1764 wrote to memory of 2736	1764	64CO.exe	35
PID 1764 wrote to memory of 2736	1764	64CO.exe	35
PID 1764 wrote to memory of 2912	1764	64CO.exe	37
PID 1764 wrote to memory of 2912	1764	64CO.exe	37
PID 1764 wrote to memory of 2912	1764	64CO.exe	37
PID 1764 wrote to memory of 2684	1764	64CO.exe	39
PID 1764 wrote to memory of 2684	1764	64CO.exe	39
PID 1764 wrote to memory of 2684	1764	64CO.exe	39
PID 1764 wrote to memory of 2672	1764	64CO.exe	41
PID 1764 wrote to memory of 2672	1764	64CO.exe	41
PID 1764 wrote to memory of 2672	1764	64CO.exe	41
PID 1764 wrote to memory of 3012	1764	64CO.exe	43
PID 1764 wrote to memory of 3012	1764	64CO.exe	43
PID 1764 wrote to memory of 3012	1764	64CO.exe	43
PID 1764 wrote to memory of 2516	1764	64CO.exe	45
PID 1764 wrote to memory of 2516	1764	64CO.exe	45
PID 1764 wrote to memory of 2516	1764	64CO.exe	45
PID 1764 wrote to memory of 2096	1764	64CO.exe	47
PID 1764 wrote to memory of 2096	1764	64CO.exe	47
PID 1764 wrote to memory of 2096	1764	64CO.exe	47
PID 1764 wrote to memory of 2276	1764	64CO.exe	49
PID 1764 wrote to memory of 2276	1764	64CO.exe	49
PID 1764 wrote to memory of 2276	1764	64CO.exe	49
PID 1764 wrote to memory of 2484	1764	64CO.exe	51
PID 1764 wrote to memory of 2484	1764	64CO.exe	51
PID 1764 wrote to memory of 2484	1764	64CO.exe	51
PID 1764 wrote to memory of 2396	1764	64CO.exe	53
PID 1764 wrote to memory of 2396	1764	64CO.exe	53
PID 1764 wrote to memory of 2396	1764	64CO.exe	53
PID 1764 wrote to memory of 2028	1764	64CO.exe	55
PID 1764 wrote to memory of 2028	1764	64CO.exe	55
PID 1764 wrote to memory of 2028	1764	64CO.exe	55
PID 1764 wrote to memory of 1304	1764	64CO.exe	57
PID 1764 wrote to memory of 1304	1764	64CO.exe	57
PID 1764 wrote to memory of 1304	1764	64CO.exe	57
PID 1764 wrote to memory of 1944	1764	64CO.exe	59
PID 1764 wrote to memory of 1944	1764	64CO.exe	59
PID 1764 wrote to memory of 1944	1764	64CO.exe	59
PID 1764 wrote to memory of 1964	1764	64CO.exe	61
PID 1764 wrote to memory of 1964	1764	64CO.exe	61
PID 1764 wrote to memory of 1964	1764	64CO.exe	61
PID 1764 wrote to memory of 2176	1764	64CO.exe	63
PID 1764 wrote to memory of 2176	1764	64CO.exe	63
PID 1764 wrote to memory of 2176	1764	64CO.exe	63
PID 1764 wrote to memory of 1876	1764	64CO.exe	65
PID 1764 wrote to memory of 1876	1764	64CO.exe	65
PID 1764 wrote to memory of 1876	1764	64CO.exe	65
PID 1764 wrote to memory of 1928	1764	64CO.exe	70
PID 1764 wrote to memory of 1928	1764	64CO.exe	70
PID 1764 wrote to memory of 1928	1764	64CO.exe	70

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64CO.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\64CO.exe
"C:\Users\Admin\AppData\Local\Temp\64CO.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1764
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2992
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2968
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2736
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2912
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2684
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2672
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3012
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2516
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2096
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2276
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2484
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2396
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2028
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1304
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1944
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1964
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2176
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\64CO.exe >> NUL
  2⤵
  - Deletes itself
  PID:1928