Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 12:35
Behavioral task
behavioral1
Sample
ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe
Resource
win7-20231130-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe
Resource
win10v2004-20231130-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe
-
Size
2.9MB
-
MD5
ff8a7dd8b1cb0420dd18810041d172a7
-
SHA1
cc166bc3eaa024aac4a2cdc02174ae87fcf47e28
-
SHA256
ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c
-
SHA512
edac57212b21a8046ab07213bf0ea51d1f3c5c9c539812fb1dffba6663b1f74e137991128f1c3135f4c1ab2ff4b470dcc6563ecae5079546dd1f6dfda210ba60
-
SSDEEP
49152:VUzeOdI+NDXIgqUPGPiTgvRZHrn7hQyZ9haNSAXpuNh/RgaJ2wf3:VUzekDpRGaTARZHPhQMCcyYvwwf3
Score
10/10
Malware Config
Extracted
Path
C:\RECOVER-kh1ftzx-FILES.txt
Ransom Note
>> What happened?
Important files on your network was ENCRYPTED and now they have "kh1ftzx" extension.
In order to recover your files you need to follow instructions below.
>> Sensitive Data
Sensitive data on your system was DOWNLOADED.
If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Private financial information including: clients data, bills, budgets, annual reports, bank statements.
- Manufacturing documents including: datagrams, schemas, drawings in solidworks format
- And more...
>> CAUTION
DO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
>> What should I do next?
Follow these simple steps to get everything back to normal:
1) Download and install Tor Browser from: https://torproject.org/
2) Navigate to: http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=Sdzfi7%2Bwfijc5dMSoj2q1hqe%2FF0XHefoPXhE8zL1YQXlLb1TLxxYVAKEQS%2BWHI83jCQHbi9a%2BypynkRAp1ccN1G2Gc%2FV5o9okOkFgGaQ%2FdPbIK0oMFz2FyWXZ2Dw4DX2x2hqqYCZSfjGdctR1FmHd3x2oHW%2BquYMBUL4QTN%2BWhp6O2XzErgo7cFn4JalSv52d6rYvr7XR1ChHB%2B9mh6YD6%2FQoIg7Mqd7dsivTUi7rrJiJBKtmKR7xBNw%2B88Qso%2Bp6QrJbKQzjFi4Yqs4FJ0Sy%2B8CJG7F3RzZL0rOY9yVzqxmPStkvctP3K5KS%2FOZY5CpIa9IVbYek6NVdH5Jr2gkXg%3D%3D
URLs
http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=Sdzfi7%2Bwfijc5dMSoj2q1hqe%2FF0XHefoPXhE8zL1YQXlLb1TLxxYVAKEQS%2BWHI83jCQHbi9a%2BypynkRAp1ccN1G2Gc%2FV5o9okOkFgGaQ%2FdPbIK0oMFz2FyWXZ2Dw4DX2x2hqqYCZSfjGdctR1FmHd3x2oHW%2BquYMBUL4QTN%2BWhp6O2XzErgo7cFn4JalSv52d6rYvr7XR1ChHB%2B9mh6YD6%2FQoIg7Mqd7dsivTUi7rrJiJBKtmKR7xBNw%2B88Qso%2Bp6QrJbKQzjFi4Yqs4FJ0Sy%2B8CJG7F3RzZL0rOY9yVzqxmPStkvctP3K5KS%2FOZY5CpIa9IVbYek6NVdH5Jr2gkXg%3D%3D
Extracted
Family
blackcat
Attributes
-
enable_network_discovery
true
-
enable_self_propagation
true
-
enable_set_wallpaper
true
-
extension
kh1ftzx
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=${ACCESS_KEY}
rsa_pubkey.plain
Signatures
-
BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1296 bcdedit.exe 2588 bcdedit.exe -
Renames multiple (6322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-kh1ftzx-FILES.txt.png" ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-kh1ftzx-FILES.txt.png" ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\RECOVER-kh1ftzx-FILES.txt ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\ui-strings.js.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\vreg\checkpoints-officemui.msi.16.en-us.vreg.dat.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\checkpoints-HomeBusinessR_Retail3-ppd.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\checkpoints-HomeStudent2019R_OEM_Perp-pl.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\checkpoints-SYMBOL.TXT.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\RECOVER-kh1ftzx-FILES.txt ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.Graphics.Canvas.winmd ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-150.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\checkpoints-HintBarEllipses.16.GrayF.png.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\checkpoints-ui-strings.js.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\checkpoints-ui-strings.js.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Java\jdk-1.8\README.html.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RECOVER-kh1ftzx-FILES.txt ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\checkpoints-VisioProO365R_SubTrial-pl.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\EdgeUpdate.dat.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\checkpoints-Access2019R_Grace-ul-oob.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48_altform-unplated.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\checkpoints-SQLENGINEMESSAGES.XML.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\resources.pri ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200_contrast-white.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\checkpoints-PGMN110.XML.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\checkpoints-ProjectStdR_Grace-ul-oob.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\checkpoints-core_icons_retina.png.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RECOVER-kh1ftzx-FILES.txt ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\checkpoints-msipc.dll.mui.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\checkpoints-nb.pak.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-LTR.gif ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.kh1ftzx ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ui-strings.js ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsyml.ttf ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-400.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\3DViewerProductDescription-universal.xml ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleOnboardingCard.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200.png ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3412 vssadmin.exe 752 vssadmin.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\Desktop\WallpaperStyle = "0" ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2384 WMIC.exe Token: SeSecurityPrivilege 2384 WMIC.exe Token: SeTakeOwnershipPrivilege 2384 WMIC.exe Token: SeLoadDriverPrivilege 2384 WMIC.exe Token: SeSystemProfilePrivilege 2384 WMIC.exe Token: SeSystemtimePrivilege 2384 WMIC.exe Token: SeProfSingleProcessPrivilege 2384 WMIC.exe Token: SeIncBasePriorityPrivilege 2384 WMIC.exe Token: SeCreatePagefilePrivilege 2384 WMIC.exe Token: SeBackupPrivilege 2384 WMIC.exe Token: SeRestorePrivilege 2384 WMIC.exe Token: SeShutdownPrivilege 2384 WMIC.exe Token: SeDebugPrivilege 2384 WMIC.exe Token: SeSystemEnvironmentPrivilege 2384 WMIC.exe Token: SeRemoteShutdownPrivilege 2384 WMIC.exe Token: SeUndockPrivilege 2384 WMIC.exe Token: SeManageVolumePrivilege 2384 WMIC.exe Token: 33 2384 WMIC.exe Token: 34 2384 WMIC.exe Token: 35 2384 WMIC.exe Token: 36 2384 WMIC.exe Token: SeIncreaseQuotaPrivilege 2384 WMIC.exe Token: SeSecurityPrivilege 2384 WMIC.exe Token: SeTakeOwnershipPrivilege 2384 WMIC.exe Token: SeLoadDriverPrivilege 2384 WMIC.exe Token: SeSystemProfilePrivilege 2384 WMIC.exe Token: SeSystemtimePrivilege 2384 WMIC.exe Token: SeProfSingleProcessPrivilege 2384 WMIC.exe Token: SeIncBasePriorityPrivilege 2384 WMIC.exe Token: SeCreatePagefilePrivilege 2384 WMIC.exe Token: SeBackupPrivilege 2384 WMIC.exe Token: SeRestorePrivilege 2384 WMIC.exe Token: SeShutdownPrivilege 2384 WMIC.exe Token: SeDebugPrivilege 2384 WMIC.exe Token: SeSystemEnvironmentPrivilege 2384 WMIC.exe Token: SeRemoteShutdownPrivilege 2384 WMIC.exe Token: SeUndockPrivilege 2384 WMIC.exe Token: SeManageVolumePrivilege 2384 WMIC.exe Token: 33 2384 WMIC.exe Token: 34 2384 WMIC.exe Token: 35 2384 WMIC.exe Token: 36 2384 WMIC.exe Token: SeIncreaseQuotaPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeSecurityPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeTakeOwnershipPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeLoadDriverPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeSystemProfilePrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeSystemtimePrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeProfSingleProcessPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeIncBasePriorityPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeCreatePagefilePrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeBackupPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeRestorePrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeShutdownPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeDebugPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeSystemEnvironmentPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeChangeNotifyPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeRemoteShutdownPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeUndockPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeManageVolumePrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeImpersonatePrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: SeCreateGlobalPrivilege 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: 33 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe Token: 34 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3744 wrote to memory of 4664 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 88 PID 3744 wrote to memory of 4664 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 88 PID 3744 wrote to memory of 4664 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 88 PID 4664 wrote to memory of 2384 4664 cmd.exe 90 PID 4664 wrote to memory of 2384 4664 cmd.exe 90 PID 4664 wrote to memory of 2384 4664 cmd.exe 90 PID 3744 wrote to memory of 1456 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 93 PID 3744 wrote to memory of 1456 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 93 PID 3744 wrote to memory of 1456 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 93 PID 1456 wrote to memory of 376 1456 cmd.exe 96 PID 1456 wrote to memory of 376 1456 cmd.exe 96 PID 1456 wrote to memory of 376 1456 cmd.exe 96 PID 3744 wrote to memory of 3852 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 97 PID 3744 wrote to memory of 3852 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 97 PID 3744 wrote to memory of 3852 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 97 PID 3852 wrote to memory of 2272 3852 cmd.exe 99 PID 3852 wrote to memory of 2272 3852 cmd.exe 99 PID 3852 wrote to memory of 2272 3852 cmd.exe 99 PID 3744 wrote to memory of 1368 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 100 PID 3744 wrote to memory of 1368 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 100 PID 3744 wrote to memory of 1368 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 100 PID 3744 wrote to memory of 1144 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 101 PID 3744 wrote to memory of 1144 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 101 PID 3744 wrote to memory of 1144 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 101 PID 3744 wrote to memory of 5068 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 105 PID 3744 wrote to memory of 5068 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 105 PID 1144 wrote to memory of 1880 1144 cmd.exe 104 PID 1144 wrote to memory of 1880 1144 cmd.exe 104 PID 1144 wrote to memory of 1880 1144 cmd.exe 104 PID 3744 wrote to memory of 2424 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 107 PID 3744 wrote to memory of 2424 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 107 PID 3744 wrote to memory of 2424 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 107 PID 5068 wrote to memory of 3412 5068 cmd.exe 108 PID 5068 wrote to memory of 3412 5068 cmd.exe 108 PID 2424 wrote to memory of 4896 2424 cmd.exe 111 PID 2424 wrote to memory of 4896 2424 cmd.exe 111 PID 2424 wrote to memory of 4896 2424 cmd.exe 111 PID 3744 wrote to memory of 2760 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 114 PID 3744 wrote to memory of 2760 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 114 PID 2760 wrote to memory of 1612 2760 cmd.exe 116 PID 2760 wrote to memory of 1612 2760 cmd.exe 116 PID 3744 wrote to memory of 432 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 117 PID 3744 wrote to memory of 432 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 117 PID 432 wrote to memory of 1296 432 cmd.exe 119 PID 432 wrote to memory of 1296 432 cmd.exe 119 PID 3744 wrote to memory of 3840 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 120 PID 3744 wrote to memory of 3840 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 120 PID 3840 wrote to memory of 2588 3840 cmd.exe 122 PID 3840 wrote to memory of 2588 3840 cmd.exe 122 PID 3744 wrote to memory of 1408 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 123 PID 3744 wrote to memory of 1408 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 123 PID 1408 wrote to memory of 3864 1408 cmd.exe 125 PID 1408 wrote to memory of 3864 1408 cmd.exe 125 PID 3744 wrote to memory of 5244 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 131 PID 3744 wrote to memory of 5244 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 131 PID 5244 wrote to memory of 752 5244 cmd.exe 133 PID 5244 wrote to memory of 752 5244 cmd.exe 133 PID 3744 wrote to memory of 5884 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 135 PID 3744 wrote to memory of 5884 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 135 PID 5884 wrote to memory of 4208 5884 cmd.exe 137 PID 5884 wrote to memory of 4208 5884 cmd.exe 137 PID 3744 wrote to memory of 828 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 138 PID 3744 wrote to memory of 828 3744 ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe 138 PID 828 wrote to memory of 1528 828 cmd.exe 140 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exeC:\Users\Admin\AppData\Local\Temp\ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe --access-token xx1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"2⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:13⤵PID:376
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:13⤵PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"2⤵PID:1368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"2⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "arp -a"2⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
PID:1296
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2588
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:752
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵
- Suspicious use of WriteProcessMemory
PID:5884 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵PID:1528
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:6300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54275006df32a003b0efd60b0b968b39c
SHA1f7cccb2065cb118134f87f348f9d9359d15447ab
SHA256236f5818658bb2ae57813cbe7c33207a61356995419ad19d9b77375d393b4817
SHA51223963e62e1299d3f76a7fb240754eff0a8b3f750b0764becae99b31a5cafc30fc3da8cf3573ebfaa4a882a0e9ee014972535b917b4b1ee310df0c7d7f6f64713
-
Filesize
1KB
MD520012d62ab22730ca6346db05f5819f6
SHA16236431cc70d6905b95b323a81c015a4b476f888
SHA256586a861604dc00f0308a4370f4681e146672f6df13a0fa6f2caef7dba320c0da
SHA512f060c94443b94646af0fa349bddd9649bc64b32ddc00e330ffe6816e8c409af47b44f90ec364d12967f6b78480f195f35ac371a4a3a11d05deaf8d6a8f4739b9
