Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 02:05
Static task
static1
Behavioral task
behavioral1
Sample
9ce01dfbf25dfea778e57d8274675d6f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9ce01dfbf25dfea778e57d8274675d6f.exe
Resource
win10v2004-20231215-en
General
-
Target
9ce01dfbf25dfea778e57d8274675d6f.exe
-
Size
360KB
-
MD5
9ce01dfbf25dfea778e57d8274675d6f
-
SHA1
1bd767beb5bc36b396ca6405748042640ad57526
-
SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
-
SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
SSDEEP
6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+lmvcq.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4BD5B3CC627D8D
http://tes543berda73i48fsdfsd.keratadze.at/E4BD5B3CC627D8D
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4BD5B3CC627D8D
http://xlowfznrg4wf7dli.ONION/E4BD5B3CC627D8D
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (411) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2420 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe -
Executes dropped EXE 1 IoCs
pid Process 2880 bkonjrvmguxq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aytueobwdppj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bkonjrvmguxq.exe\"" bkonjrvmguxq.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jre7\lib\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Common Files\System\it-IT\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\de-DE\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\More Games\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Common Files\System\es-ES\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Google\Chrome\Application\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\it-IT\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\en-US\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\en-US\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\it-IT\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png bkonjrvmguxq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv bkonjrvmguxq.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\es-ES\_RECOVERY_+lmvcq.png bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_RECOVERY_+lmvcq.txt bkonjrvmguxq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_RECOVERY_+lmvcq.html bkonjrvmguxq.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\bkonjrvmguxq.exe 9ce01dfbf25dfea778e57d8274675d6f.exe File opened for modification C:\Windows\bkonjrvmguxq.exe 9ce01dfbf25dfea778e57d8274675d6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409977428" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f091eba3fb39da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000554ad74da9ff066caeaab949fe7be0850f0ef208bd7ecdd5ae3ce71ba600b394000000000e80000000020000200000004394c3e67e41f06ed6ad8779cf86f88de44e57f4c4acd0f645d0b029184fcd02200000008a4a49299224a1059bb48b6baed5496073fa7523870cb51bda8e5877a00355fd40000000ead5e2e65ab12fd5552cc92dd9a5c8302f9a1bf2eb99d78d806ee43df657d5596a3e05468e088a27ba723412787be1461b1e78e2ab383ad2e544cad3064b5fd2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000bb25d6aa68cf0f8f863c4bd14552da67c1c819930be92ddfad97502a4df2fa38000000000e8000000002000020000000d0470c4e48a955b4fd204b97cc58e4ed63f0e75ba01986ca2905e6172ebb4a599000000024cf4363671cf2e8266753046f660067a3f4bb125131b55b3c78d985621f57dc87377639eef3e5d463e01549ff71417ee5e1ed63be8157a36e9a854f23e19bdb5ede940d6c804f85b5e450d1df00a66fab17f65e530e2b4f5ee1e709038fc43ff3c422eaf9afbdb86ddb3be0576faf7f60d2dc404b6f717bf715d58f1366195d7d213da86cbe20d23655ac0594594cfb40000000621ca3ddac612e0534cffee2e059b098ceb07f3a8d2dad24589c1948d4cd31c67df17d0b94a9b84f7d21959d09822e56158b3111de069fdfffd4c2ad98e5246f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF898601-A5EE-11EE-BE92-46FC6C3D459E} = "0" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 112 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe 2880 bkonjrvmguxq.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2364 9ce01dfbf25dfea778e57d8274675d6f.exe Token: SeDebugPrivilege 2880 bkonjrvmguxq.exe Token: SeIncreaseQuotaPrivilege 2648 WMIC.exe Token: SeSecurityPrivilege 2648 WMIC.exe Token: SeTakeOwnershipPrivilege 2648 WMIC.exe Token: SeLoadDriverPrivilege 2648 WMIC.exe Token: SeSystemProfilePrivilege 2648 WMIC.exe Token: SeSystemtimePrivilege 2648 WMIC.exe Token: SeProfSingleProcessPrivilege 2648 WMIC.exe Token: SeIncBasePriorityPrivilege 2648 WMIC.exe Token: SeCreatePagefilePrivilege 2648 WMIC.exe Token: SeBackupPrivilege 2648 WMIC.exe Token: SeRestorePrivilege 2648 WMIC.exe Token: SeShutdownPrivilege 2648 WMIC.exe Token: SeDebugPrivilege 2648 WMIC.exe Token: SeSystemEnvironmentPrivilege 2648 WMIC.exe Token: SeRemoteShutdownPrivilege 2648 WMIC.exe Token: SeUndockPrivilege 2648 WMIC.exe Token: SeManageVolumePrivilege 2648 WMIC.exe Token: 33 2648 WMIC.exe Token: 34 2648 WMIC.exe Token: 35 2648 WMIC.exe Token: SeIncreaseQuotaPrivilege 2648 WMIC.exe Token: SeSecurityPrivilege 2648 WMIC.exe Token: SeTakeOwnershipPrivilege 2648 WMIC.exe Token: SeLoadDriverPrivilege 2648 WMIC.exe Token: SeSystemProfilePrivilege 2648 WMIC.exe Token: SeSystemtimePrivilege 2648 WMIC.exe Token: SeProfSingleProcessPrivilege 2648 WMIC.exe Token: SeIncBasePriorityPrivilege 2648 WMIC.exe Token: SeCreatePagefilePrivilege 2648 WMIC.exe Token: SeBackupPrivilege 2648 WMIC.exe Token: SeRestorePrivilege 2648 WMIC.exe Token: SeShutdownPrivilege 2648 WMIC.exe Token: SeDebugPrivilege 2648 WMIC.exe Token: SeSystemEnvironmentPrivilege 2648 WMIC.exe Token: SeRemoteShutdownPrivilege 2648 WMIC.exe Token: SeUndockPrivilege 2648 WMIC.exe Token: SeManageVolumePrivilege 2648 WMIC.exe Token: 33 2648 WMIC.exe Token: 34 2648 WMIC.exe Token: 35 2648 WMIC.exe Token: SeBackupPrivilege 2672 vssvc.exe Token: SeRestorePrivilege 2672 vssvc.exe Token: SeAuditPrivilege 2672 vssvc.exe Token: SeIncreaseQuotaPrivilege 748 WMIC.exe Token: SeSecurityPrivilege 748 WMIC.exe Token: SeTakeOwnershipPrivilege 748 WMIC.exe Token: SeLoadDriverPrivilege 748 WMIC.exe Token: SeSystemProfilePrivilege 748 WMIC.exe Token: SeSystemtimePrivilege 748 WMIC.exe Token: SeProfSingleProcessPrivilege 748 WMIC.exe Token: SeIncBasePriorityPrivilege 748 WMIC.exe Token: SeCreatePagefilePrivilege 748 WMIC.exe Token: SeBackupPrivilege 748 WMIC.exe Token: SeRestorePrivilege 748 WMIC.exe Token: SeShutdownPrivilege 748 WMIC.exe Token: SeDebugPrivilege 748 WMIC.exe Token: SeSystemEnvironmentPrivilege 748 WMIC.exe Token: SeRemoteShutdownPrivilege 748 WMIC.exe Token: SeUndockPrivilege 748 WMIC.exe Token: SeManageVolumePrivilege 748 WMIC.exe Token: 33 748 WMIC.exe Token: 34 748 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1320 iexplore.exe 1288 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1320 iexplore.exe 1320 iexplore.exe 616 IEXPLORE.EXE 616 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2880 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 2364 wrote to memory of 2880 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 2364 wrote to memory of 2880 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 2364 wrote to memory of 2880 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 2364 wrote to memory of 2420 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 28 PID 2364 wrote to memory of 2420 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 28 PID 2364 wrote to memory of 2420 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 28 PID 2364 wrote to memory of 2420 2364 9ce01dfbf25dfea778e57d8274675d6f.exe 28 PID 2880 wrote to memory of 2648 2880 bkonjrvmguxq.exe 35 PID 2880 wrote to memory of 2648 2880 bkonjrvmguxq.exe 35 PID 2880 wrote to memory of 2648 2880 bkonjrvmguxq.exe 35 PID 2880 wrote to memory of 2648 2880 bkonjrvmguxq.exe 35 PID 2880 wrote to memory of 112 2880 bkonjrvmguxq.exe 44 PID 2880 wrote to memory of 112 2880 bkonjrvmguxq.exe 44 PID 2880 wrote to memory of 112 2880 bkonjrvmguxq.exe 44 PID 2880 wrote to memory of 112 2880 bkonjrvmguxq.exe 44 PID 2880 wrote to memory of 1320 2880 bkonjrvmguxq.exe 43 PID 2880 wrote to memory of 1320 2880 bkonjrvmguxq.exe 43 PID 2880 wrote to memory of 1320 2880 bkonjrvmguxq.exe 43 PID 2880 wrote to memory of 1320 2880 bkonjrvmguxq.exe 43 PID 1320 wrote to memory of 616 1320 iexplore.exe 39 PID 1320 wrote to memory of 616 1320 iexplore.exe 39 PID 1320 wrote to memory of 616 1320 iexplore.exe 39 PID 1320 wrote to memory of 616 1320 iexplore.exe 39 PID 2880 wrote to memory of 748 2880 bkonjrvmguxq.exe 41 PID 2880 wrote to memory of 748 2880 bkonjrvmguxq.exe 41 PID 2880 wrote to memory of 748 2880 bkonjrvmguxq.exe 41 PID 2880 wrote to memory of 748 2880 bkonjrvmguxq.exe 41 PID 2880 wrote to memory of 1120 2880 bkonjrvmguxq.exe 46 PID 2880 wrote to memory of 1120 2880 bkonjrvmguxq.exe 46 PID 2880 wrote to memory of 1120 2880 bkonjrvmguxq.exe 46 PID 2880 wrote to memory of 1120 2880 bkonjrvmguxq.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bkonjrvmguxq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bkonjrvmguxq.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9CE01D~1.EXE2⤵
- Deletes itself
PID:2420
-
-
C:\Windows\bkonjrvmguxq.exeC:\Windows\bkonjrvmguxq.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:112
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BKONJR~1.EXE3⤵PID:1120
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:21⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:616
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD56a5147c6e2bcbdd2ea10ae22b244f045
SHA195b57342159d1099f7478c50fa126aa07f1da216
SHA2560fce7c1572ddc18180b0fefbcf7259151937ece06e6ef5e99a20d02abd34d20c
SHA512419708fc2085c895910a78013722ff138db6bea41af60a0f7cdbfa7843256764c3ee3f7a8204b7c0e9ac5c5e976a91a0ff30950d285c0ea30f59536a521caf02
-
Filesize
62KB
MD5b7d9f78a9d9fbe9e03f628ac145fe458
SHA1e33420ffc670fa106168afac371b759873e29706
SHA25637b6ee9f2de3a8e88252525332734332a49a88d3066be4effb79e780015bc151
SHA51214742e18c8379aedf0af32517194e95ab6e27d6642d187ec972ff6feffcf5478c633f8ef4a779e0b6c72fbe0c0a3e530372b6fcb5df7723fed9c8534d59dd9b2
-
Filesize
1KB
MD571da64de59f6d31bdce0f149ed326c9a
SHA1739ccae911112c1eae17e32fafe324a56b072927
SHA2565a11cdc19ce40ad0cbf6cd847c779c6a77ea37c349683280cbdbd95c433168a0
SHA5126d8063003499c324bbf87c6e8278fc333efd7b4ffb3bf622e282863a6827c1b7aac832a7abdf65ee3a71fd7174a0768289b35f1c70db3c20d5161fd21d79b430
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5c05bf0a45ea1bd5849bacaddb37ffec8
SHA17d4aebf9d42333b2238fd33eac2b09a2ca99762b
SHA2567885798d4fcc4d9830953f92f3b808ae5d1abfe9a3a1da2a9db436d932522815
SHA512bd68f417de0bb5b97cc978f0b143f13e1b13117e9b53b9923bed6a5dcf1314e0eaf4e546ba120277000506b34d44857b4004e6885c9d8cfa43ec90963907e249
-
Filesize
109KB
MD561ca283cf1905a727c1e2d51a35f1e88
SHA11331a7d468a7a1b8e87653e6bd9bb9af750a0760
SHA256ac7c1f6966bd7b929d4d7c397425e840d9541c28a523c4c326d8c2b2b7b70076
SHA51269599649f0870920183913726b117ebfaf025ad533009b056a1453e36b01ab92a9cc5afbf845715f3a1ef674754cf3e294e081519cc8d37a2bef3900203b5781
-
Filesize
140KB
MD5216cbb0c124d6f5c3551a41935effe37
SHA10e5dd322b124739135dc97e1a4987a12bb7353bc
SHA2569f1f218b3e4b5babd1acfca62c6484a62fdb8375afbd77da3a7489308f1f4291
SHA5123a728826361e500941eccec6cbd853a4aa1538bd520a07c23e1026fd0ad70ecf5434b9c78bd68a17a8f523b425ca7947f26735de35619ab227ffa0c7cfb3c59c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54cfccac9c7a6f39f3f547a911db5ee99
SHA1811d39e5673e056be6c0322111486d791119ca0b
SHA256d501edbf642ddc65b5031fe7acae6c3502f546bb9eecba255be4e0e7924f73f1
SHA512601cb4f03f3260ac7161ba8c1b6bc4cd8e1a1fb574a4a5c89d5f976cb2dec5282a88c669c424fcfe86e60ed8c74256cad5b516598b54bfb9205dab40883db4d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5651e298e7196cae94b4c09638a9194ed
SHA1e2ad57379621b8dd22981aa949eb5151b070d1a6
SHA25670cf12fa193d0d911b9df3e3089340e3b346138e6dd7aca4ad0f8e299a8da12a
SHA512b3b37c24ac50fc3f4d53517064b33a69af11a0c0a9fd837bde3828052142cbcb689c757493c546495a7680ee6ebdffda67bff144ee265c20caaef3c0117b6cbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51bed9b66b6e525fb82252ad1981f4396
SHA1a7dad3b07c87724232a69624e610d1f291d5b05e
SHA25612cccbccbc6e8bcf41750bd3fa90d89d030a9606377f8d88f0cd43d4eee10d33
SHA512c742f819d3bd8867570aab6e643dfc8ceef6efe943ed7b04704d64886bab51bbcd7916291c606bbf6322fada209d7655ea748d209ffb87c9035ee18e1d3b6385
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53a2b85a8adae87cb2d8dc322f23f7ae7
SHA1d11afeed17c1607571fac76dab411de90fda0728
SHA25609e3ca9e7ca4735fb5d43a1cd804cd26b8eb683bd7e3e0ab50c21491a9b87846
SHA512c7f1847236f8fe2f56ac0eb8733d30860cd979b09e42406faeec0390ea34257ac3e4319fdbe115cf83f5b910e5e7ad586017de7e22bf73ca7edb647ef8a2601d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57a92c085c7dc40935d122d05062b24ce
SHA149bdbb511f0084e6017b2f87e0de8d29af14062e
SHA2568279f62fb10c537341094f9a9c1a26f21c693684609f0bd887d82148c2791ad3
SHA5121ef0918d6b1451d4884264d0f9413c8173acc5bc8a17881ea6dde0990acef6104438ae5dad645c28dcd681a7ea00b14ad9cad897d84a217bbd66a1f28ee7fbf6
-
Filesize
93KB
MD53f654b994e9e92f412f47abfddd9f935
SHA195c68b423bee4b51ea55b6efc23d0c58658cd400
SHA2568a344e0ba8a70d7f3b33a109615d4fd982a3ea127ce07711600f043a5ad1f7f7
SHA512268b160e82669046cfe2f4274e6d2e0853e4e56add16b13c8f079a2e40ec0ba9583d04758c377195e80549c0c8225a8d5e6617b7039ab45878c2cab40d106047
-
Filesize
92KB
MD5d181ae93b56c9fdee21edbf4083b12d0
SHA11f4710f5d613e3a4726796d77d3e0fa5cc2e10a5
SHA2568dffb59b022d096d9af71406420b59ce0dd051ccef454f1026effcc750e12aac
SHA5124c25013b16f57b97a6933a9f340b2b3b5d5bf5c478f24aec2efe69f69e7fdff2ef51a4f0d6809619de991017b7f94baeb4c2640f26c8900a1fe5d465ba472e60
-
Filesize
98KB
MD5eff6b2a264f4d6c8c7d933dcae2a7f4c
SHA1679e02f29178fc1e94655245abe2f22d5f0a1cdb
SHA256ef40909e4ecd991c0bcce59f899be3ef78b17a1278de391c72cc77cd850d6bd5
SHA512032309153126f67f93a73ea0334b71478c0f0195e5d4385f9a541bbcf3f15f017e908a60313d7c4f7c91e2c9bc77e88d38901891e2724632322c97606c00ab06