conti | 01a7d860861d9c5da9725671fc557b9a5ca766e69ba167aab46d970ea2fb61c4

Analysis

max time kernel
90s
max time network
92s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 15:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
Size

434KB
MD5

9eb1d5dbe3722be30545c9b63565d2eb
SHA1

78adabc1ac2c1cf58a30ac7bea53062a1e11c9b4
SHA256

0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862
SHA512

2360ab53c10995daafdd118755b98439baba79232865d8daf10a97bfb9e136f16e49ab315ae804a768593d27f7dc86e8e1708385a13653fad4a850de7c56400b
SSDEEP

6144:ud8FpUeW9Xb7cE4luAoF6hS1g0cmpSZ/gdRKOMsaVGKMBaoU2x0jPX3lAa/ac:u39XbgE/AMLLSZId/adpr7/ac

Score

10^/10

conti dave ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\R3ADM3.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- zJDnMLlK6tLZXk1WL8IzzvpbV1mgmIHZOkF25hbQIFEDjCA0navQ0z9H4n3QtAmB ---END ID---

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7984) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral1/memory/1976-3-0x0000000000240000-0x0000000000271000-memory.dmp	dave

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D2NLQ5QT\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\O0N2L68Z\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZBGI5OF\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2C0UXHXX\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ky\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.XML	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\handsafe.reg	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105378.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00530_.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RSPMECH.POC	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.DPV	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\R3ADM3.txt	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files\MeasureStart.inf	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00557_.WMF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.ITTZN	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.ITTZN\ = "ITTZN_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\ITTZN_auto_file\shell	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3812	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
804	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe
Token: 35	3064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1776	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	31
PID 1976 wrote to memory of 1776	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	31
PID 1976 wrote to memory of 1776	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	31
PID 1976 wrote to memory of 1776	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	31
PID 1776 wrote to memory of 2572	1776	cmd.exe	32
PID 1776 wrote to memory of 2572	1776	cmd.exe	32
PID 1776 wrote to memory of 2572	1776	cmd.exe	32
PID 1976 wrote to memory of 2624	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	34
PID 1976 wrote to memory of 2624	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	34
PID 1976 wrote to memory of 2624	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	34
PID 1976 wrote to memory of 2624	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	34
PID 2624 wrote to memory of 3064	2624	cmd.exe	36
PID 2624 wrote to memory of 3064	2624	cmd.exe	36
PID 2624 wrote to memory of 3064	2624	cmd.exe	36
PID 1976 wrote to memory of 2124	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	37
PID 1976 wrote to memory of 2124	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	37
PID 1976 wrote to memory of 2124	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	37
PID 1976 wrote to memory of 2124	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	37
PID 2124 wrote to memory of 1208	2124	cmd.exe	39
PID 2124 wrote to memory of 1208	2124	cmd.exe	39
PID 2124 wrote to memory of 1208	2124	cmd.exe	39
PID 1976 wrote to memory of 1648	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	40
PID 1976 wrote to memory of 1648	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	40
PID 1976 wrote to memory of 1648	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	40
PID 1976 wrote to memory of 1648	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	40
PID 1648 wrote to memory of 1128	1648	cmd.exe	42
PID 1648 wrote to memory of 1128	1648	cmd.exe	42
PID 1648 wrote to memory of 1128	1648	cmd.exe	42
PID 1976 wrote to memory of 2236	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	43
PID 1976 wrote to memory of 2236	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	43
PID 1976 wrote to memory of 2236	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	43
PID 1976 wrote to memory of 2236	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	43
PID 2236 wrote to memory of 2892	2236	cmd.exe	45
PID 2236 wrote to memory of 2892	2236	cmd.exe	45
PID 2236 wrote to memory of 2892	2236	cmd.exe	45
PID 1976 wrote to memory of 2940	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	46
PID 1976 wrote to memory of 2940	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	46
PID 1976 wrote to memory of 2940	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	46
PID 1976 wrote to memory of 2940	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	46
PID 2940 wrote to memory of 2936	2940	cmd.exe	48
PID 2940 wrote to memory of 2936	2940	cmd.exe	48
PID 2940 wrote to memory of 2936	2940	cmd.exe	48
PID 1976 wrote to memory of 948	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	49
PID 1976 wrote to memory of 948	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	49
PID 1976 wrote to memory of 948	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	49
PID 1976 wrote to memory of 948	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	49
PID 948 wrote to memory of 1952	948	cmd.exe	51
PID 948 wrote to memory of 1952	948	cmd.exe	51
PID 948 wrote to memory of 1952	948	cmd.exe	51
PID 1976 wrote to memory of 2208	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	52
PID 1976 wrote to memory of 2208	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	52
PID 1976 wrote to memory of 2208	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	52
PID 1976 wrote to memory of 2208	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	52
PID 2208 wrote to memory of 1592	2208	cmd.exe	54
PID 2208 wrote to memory of 1592	2208	cmd.exe	54
PID 2208 wrote to memory of 1592	2208	cmd.exe	54
PID 1976 wrote to memory of 1984	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	55
PID 1976 wrote to memory of 1984	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	55
PID 1976 wrote to memory of 1984	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	55
PID 1976 wrote to memory of 1984	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	55
PID 1984 wrote to memory of 1588	1984	cmd.exe	57
PID 1984 wrote to memory of 1588	1984	cmd.exe	57
PID 1984 wrote to memory of 1588	1984	cmd.exe	57
PID 1976 wrote to memory of 1084	1976	0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
"C:\Users\Admin\AppData\Local\Temp\0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8FA44BFD-FA1F-4DCD-A4F6-14CC53CAD6FF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8FA44BFD-FA1F-4DCD-A4F6-14CC53CAD6FF}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AFE72AC8-3EBD-47B2-92F7-E77F60ACD00D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AFE72AC8-3EBD-47B2-92F7-E77F60ACD00D}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AEC120D-3A20-40DC-A758-BE46F7792880}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AEC120D-3A20-40DC-A758-BE46F7792880}'" delete
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73972E8B-40C0-45C3-BA36-3BB62C9895BB}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73972E8B-40C0-45C3-BA36-3BB62C9895BB}'" delete
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14C3B7BB-E3D1-4A7F-B9D5-965B30494446}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14C3B7BB-E3D1-4A7F-B9D5-965B30494446}'" delete
    3⤵
    PID:2892
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFAE94FE-C833-4E3E-B01A-AB3865C49748}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFAE94FE-C833-4E3E-B01A-AB3865C49748}'" delete
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8B94EBC-20A3-4F89-BBBE-7A96F17986E1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8B94EBC-20A3-4F89-BBBE-7A96F17986E1}'" delete
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A96262D3-497F-4A7D-ADF1-16344B4C765A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A96262D3-497F-4A7D-ADF1-16344B4C765A}'" delete
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79946AB7-635B-4BD2-B65D-B0F433D5F532}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79946AB7-635B-4BD2-B65D-B0F433D5F532}'" delete
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34FB718A-E541-46AC-AC9B-BDE963BA4D66}'" delete
  2⤵
  PID:1084
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34FB718A-E541-46AC-AC9B-BDE963BA4D66}'" delete
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22BA0FD3-BE37-4C17-B5C1-843082C12E98}'" delete
  2⤵
  PID:1596
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22BA0FD3-BE37-4C17-B5C1-843082C12E98}'" delete
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CA557A7-8492-4072-B050-1535C2EB536D}'" delete
  2⤵
  PID:324
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CA557A7-8492-4072-B050-1535C2EB536D}'" delete
    3⤵
    PID:2480
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39226352-220B-4092-B154-9C7E9DB7975F}'" delete
  2⤵
  PID:3012
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39226352-220B-4092-B154-9C7E9DB7975F}'" delete
    3⤵
    PID:3008
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B70D1643-3808-4053-81F7-D9906B42477B}'" delete
  2⤵
  PID:2060
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B70D1643-3808-4053-81F7-D9906B42477B}'" delete
    3⤵
    PID:528
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8161F8C4-8FCF-400F-A1A4-FFB329479019}'" delete
  2⤵
  PID:1620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8161F8C4-8FCF-400F-A1A4-FFB329479019}'" delete
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D23619ED-D012-4195-AD2F-8E6B2C41E6FB}'" delete
  2⤵
  PID:2008
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D23619ED-D012-4195-AD2F-8E6B2C41E6FB}'" delete
    3⤵
    PID:1420
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BB2020C-8D1D-4D87-B2B3-DB0468A02E37}'" delete
  2⤵
  PID:2880
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BB2020C-8D1D-4D87-B2B3-DB0468A02E37}'" delete
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9502DCE-BF82-44AA-8729-B59C9539DE36}'" delete
  2⤵
  PID:1800
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9502DCE-BF82-44AA-8729-B59C9539DE36}'" delete
    3⤵
    PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UndoOut.shtml.ITTZN
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:804
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UndoOut.shtml.ITTZN
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\R3ADM3.txt

Filesize
846B

MD5
1faf49045a09c14d8540fb0d9d595de4

SHA1
bbf25516d2d69d397f1eabcc0c128b29f0627cc6

SHA256
90a3c5e5ecd61cfc66f58049ddeb5b6c13c4b9eee78443778c5e57ee59fb2252

SHA512
e38301a45bbf5c04542a52c677d7be4c66d2d44a284788a102139e05920ba4cb164e13dc77ada3fb326032223b554da3421334ba53abb87b85e2869e71dcef1e

Download Submit
C:\Users\Admin\Desktop\UndoOut.shtml.ITTZN

Filesize
448KB

MD5
c2a611ab27848429a366d59a3197653e

SHA1
19f46276e993ce72f6f4696de453485906e199ab

SHA256
8d2882a36d5b3d3c6486afb395e78600ef9a4f13172305b35ddefd91b2753a05

SHA512
14c6c344372e02444d88277e7e5e2ea81f2945d567ced8b57155fe9432ed90e683f8242c33c93ce7dbf83e4d44c8fb83c2f4d3fba3b01c8a9c7f8aabcd943705

Download Submit
memory/1976-0-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1976-3-0x0000000000240000-0x0000000000271000-memory.dmp

Filesize
196KB

Download
memory/1976-5-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download
memory/3532-17701-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3784-17702-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download