Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 02:05
Static task
static1
Behavioral task
behavioral1
Sample
9ce01dfbf25dfea778e57d8274675d6f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9ce01dfbf25dfea778e57d8274675d6f.exe
Resource
win10v2004-20231215-en
General
-
Target
9ce01dfbf25dfea778e57d8274675d6f.exe
-
Size
360KB
-
MD5
9ce01dfbf25dfea778e57d8274675d6f
-
SHA1
1bd767beb5bc36b396ca6405748042640ad57526
-
SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
-
SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
SSDEEP
6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB
Malware Config
Extracted
C:\PerfLogs\_RECOVERY_+jxvtu.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C
http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C
http://xlowfznrg4wf7dli.ONION/11BDC7714099EF7C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (885) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 9ce01dfbf25dfea778e57d8274675d6f.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation blwopxrmbnsx.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe -
Executes dropped EXE 1 IoCs
pid Process 5856 blwopxrmbnsx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faylpocefbie = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\blwopxrmbnsx.exe\"" blwopxrmbnsx.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-white.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-400.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-64_altform-unplated_contrast-black.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-400.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-100.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\28.jpg blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-fullcolor.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-150.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-200.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-125.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square310x310Logo.scale-100.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MicrosoftLogo.scale-200.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-100.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-black.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-64.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_RECOVERY_+jxvtu.txt blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-100.png blwopxrmbnsx.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\204.png blwopxrmbnsx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-400.png blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_RECOVERY_+jxvtu.html blwopxrmbnsx.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_RECOVERY_+jxvtu.png blwopxrmbnsx.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\blwopxrmbnsx.exe 9ce01dfbf25dfea778e57d8274675d6f.exe File opened for modification C:\Windows\blwopxrmbnsx.exe 9ce01dfbf25dfea778e57d8274675d6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings blwopxrmbnsx.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5948 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe 5856 blwopxrmbnsx.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1336 9ce01dfbf25dfea778e57d8274675d6f.exe Token: SeDebugPrivilege 5856 blwopxrmbnsx.exe Token: SeIncreaseQuotaPrivilege 4632 WMIC.exe Token: SeSecurityPrivilege 4632 WMIC.exe Token: SeTakeOwnershipPrivilege 4632 WMIC.exe Token: SeLoadDriverPrivilege 4632 WMIC.exe Token: SeSystemProfilePrivilege 4632 WMIC.exe Token: SeSystemtimePrivilege 4632 WMIC.exe Token: SeProfSingleProcessPrivilege 4632 WMIC.exe Token: SeIncBasePriorityPrivilege 4632 WMIC.exe Token: SeCreatePagefilePrivilege 4632 WMIC.exe Token: SeBackupPrivilege 4632 WMIC.exe Token: SeRestorePrivilege 4632 WMIC.exe Token: SeShutdownPrivilege 4632 WMIC.exe Token: SeDebugPrivilege 4632 WMIC.exe Token: SeSystemEnvironmentPrivilege 4632 WMIC.exe Token: SeRemoteShutdownPrivilege 4632 WMIC.exe Token: SeUndockPrivilege 4632 WMIC.exe Token: SeManageVolumePrivilege 4632 WMIC.exe Token: 33 4632 WMIC.exe Token: 34 4632 WMIC.exe Token: 35 4632 WMIC.exe Token: 36 4632 WMIC.exe Token: SeIncreaseQuotaPrivilege 4632 WMIC.exe Token: SeSecurityPrivilege 4632 WMIC.exe Token: SeTakeOwnershipPrivilege 4632 WMIC.exe Token: SeLoadDriverPrivilege 4632 WMIC.exe Token: SeSystemProfilePrivilege 4632 WMIC.exe Token: SeSystemtimePrivilege 4632 WMIC.exe Token: SeProfSingleProcessPrivilege 4632 WMIC.exe Token: SeIncBasePriorityPrivilege 4632 WMIC.exe Token: SeCreatePagefilePrivilege 4632 WMIC.exe Token: SeBackupPrivilege 4632 WMIC.exe Token: SeRestorePrivilege 4632 WMIC.exe Token: SeShutdownPrivilege 4632 WMIC.exe Token: SeDebugPrivilege 4632 WMIC.exe Token: SeSystemEnvironmentPrivilege 4632 WMIC.exe Token: SeRemoteShutdownPrivilege 4632 WMIC.exe Token: SeUndockPrivilege 4632 WMIC.exe Token: SeManageVolumePrivilege 4632 WMIC.exe Token: 33 4632 WMIC.exe Token: 34 4632 WMIC.exe Token: 35 4632 WMIC.exe Token: 36 4632 WMIC.exe Token: SeBackupPrivilege 3756 vssvc.exe Token: SeRestorePrivilege 3756 vssvc.exe Token: SeAuditPrivilege 3756 vssvc.exe Token: SeIncreaseQuotaPrivilege 5316 WMIC.exe Token: SeSecurityPrivilege 5316 WMIC.exe Token: SeTakeOwnershipPrivilege 5316 WMIC.exe Token: SeLoadDriverPrivilege 5316 WMIC.exe Token: SeSystemProfilePrivilege 5316 WMIC.exe Token: SeSystemtimePrivilege 5316 WMIC.exe Token: SeProfSingleProcessPrivilege 5316 WMIC.exe Token: SeIncBasePriorityPrivilege 5316 WMIC.exe Token: SeCreatePagefilePrivilege 5316 WMIC.exe Token: SeBackupPrivilege 5316 WMIC.exe Token: SeRestorePrivilege 5316 WMIC.exe Token: SeShutdownPrivilege 5316 WMIC.exe Token: SeDebugPrivilege 5316 WMIC.exe Token: SeSystemEnvironmentPrivilege 5316 WMIC.exe Token: SeRemoteShutdownPrivilege 5316 WMIC.exe Token: SeUndockPrivilege 5316 WMIC.exe Token: SeManageVolumePrivilege 5316 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe 5360 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 5856 1336 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 1336 wrote to memory of 5856 1336 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 1336 wrote to memory of 5856 1336 9ce01dfbf25dfea778e57d8274675d6f.exe 30 PID 1336 wrote to memory of 5012 1336 9ce01dfbf25dfea778e57d8274675d6f.exe 33 PID 1336 wrote to memory of 5012 1336 9ce01dfbf25dfea778e57d8274675d6f.exe 33 PID 1336 wrote to memory of 5012 1336 9ce01dfbf25dfea778e57d8274675d6f.exe 33 PID 5856 wrote to memory of 4632 5856 blwopxrmbnsx.exe 46 PID 5856 wrote to memory of 4632 5856 blwopxrmbnsx.exe 46 PID 5856 wrote to memory of 5948 5856 blwopxrmbnsx.exe 109 PID 5856 wrote to memory of 5948 5856 blwopxrmbnsx.exe 109 PID 5856 wrote to memory of 5948 5856 blwopxrmbnsx.exe 109 PID 5856 wrote to memory of 5360 5856 blwopxrmbnsx.exe 113 PID 5856 wrote to memory of 5360 5856 blwopxrmbnsx.exe 113 PID 5360 wrote to memory of 4352 5360 msedge.exe 112 PID 5360 wrote to memory of 4352 5360 msedge.exe 112 PID 5856 wrote to memory of 5316 5856 blwopxrmbnsx.exe 111 PID 5856 wrote to memory of 5316 5856 blwopxrmbnsx.exe 111 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 5388 5360 msedge.exe 115 PID 5360 wrote to memory of 3020 5360 msedge.exe 114 PID 5360 wrote to memory of 3020 5360 msedge.exe 114 PID 5360 wrote to memory of 560 5360 msedge.exe 116 PID 5360 wrote to memory of 560 5360 msedge.exe 116 PID 5360 wrote to memory of 560 5360 msedge.exe 116 PID 5360 wrote to memory of 560 5360 msedge.exe 116 PID 5360 wrote to memory of 560 5360 msedge.exe 116 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System blwopxrmbnsx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" blwopxrmbnsx.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\blwopxrmbnsx.exeC:\Windows\blwopxrmbnsx.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5856 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:5948
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5360 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:34⤵PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:24⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:84⤵PID:560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:14⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:14⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:84⤵PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:84⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:14⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:14⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:14⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:14⤵PID:304
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BLWOPX~1.EXE3⤵PID:5460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9CE01D~1.EXE2⤵PID:5012
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ed746f8,0x7ffa6ed74708,0x7ffa6ed747181⤵PID:4352
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560B
MD5a175bacabbb58bdd2ee8b9e0c51d4719
SHA1ef4bb7f490bbfe0479afb80a8b3421e7da3168fa
SHA25656edbbfd263ddecf7fdb48696bf0a10de304c59ce6c6a00263aeb189ba0a85bf
SHA512b03dedcea99123ba7e877119c0ac15e5e0d9e217fd92801c64bad18d0d92ecd4add7cad7b4953029ff37d5591570c45629147af53aedd5c12a10ee22bfdc0567
-
Filesize
560B
MD5d39811c5c164a2ef92e934c07177f981
SHA145165c24aabb1bf7d9decf0c33c7643a1bd1a564
SHA256c90cb6a35da8e2290122839a33ad8127bab3a0433b3dabcb72810f2d53a89e52
SHA512cc502cd7451c62466ca51c1e4944b08fd3ef11d2bc7ce10a786aa31b29765708f1006d0ad0a043ce453e8f767ad217b8a9aecf6b71ff8db1fee26002be798aa7
-
Filesize
416B
MD51b370db94bed271918e4041a87b0f63b
SHA1853d0b7614f1929faaa1fe58243b4d4ee58a2a65
SHA25666df2e534eae652c300c34ba78c5d7a5d733b9e2f7aa29ec467f490ecc476eff
SHA5123c138535d267012e6bccbfae45476d9eca0ec6248d8f66083ae53203ab5c90118a198de859b0be878d347e984518fccba336ea3f8ec7e2ffbcadaee60262dcda
-
Filesize
360KB
MD59ce01dfbf25dfea778e57d8274675d6f
SHA11bd767beb5bc36b396ca6405748042640ad57526
SHA2565343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b