Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 08:32
Behavioral task
behavioral1
Sample
2f2d4eb24662c916f822f9c3fd55c9b2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2f2d4eb24662c916f822f9c3fd55c9b2.exe
Resource
win10v2004-20231215-en
General
-
Target
2f2d4eb24662c916f822f9c3fd55c9b2.exe
-
Size
206KB
-
MD5
2f2d4eb24662c916f822f9c3fd55c9b2
-
SHA1
9d5bda347f70b8f928803a28782a1018d9f2d0e0
-
SHA256
4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba
-
SHA512
1cc68736ac883a60f1113f183fa68b344b86dffc6b3853dbabbc626eb02fd69b9eb3801891c07193ab3684419e7346d4a1d0c37a5de6523df0dabae1b0051bb5
-
SSDEEP
3072:0bOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YSYoj1ZYJJCpdXfabI8AKgcJuU:wOsZiKRJWWY1dJJQdHrYuFC
Malware Config
Extracted
crylock
- emails
-
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('<%START_DATETIME%>'); var discount_date = new Date('<%DOUBLE_DATETIME%>'); var end_date = new Date('<%UNDECRYPT_DATETIME%>'); var main_contact = '<%MAIN_CONTACT%>'; var hid = '[<%HID%>]'; var second_contact = '<%RESERVE_CONTACT%>'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+' '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>
Extracted
C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\how_to_decrypt.hta
Signatures
-
Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 2f2d4eb24662c916f822f9c3fd55c9b2.exe -
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta 2f2d4eb24662c916f822f9c3fd55c9b2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7A47E0D5-4C965BDC = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2f2d4eb24662c916f822f9c3fd55c9b2.exe\" -id \"7A47E0D5-4C965BDC\" -wid \"vis\"" 2f2d4eb24662c916f822f9c3fd55c9b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1287499 = "1287499" 2f2d4eb24662c916f822f9c3fd55c9b2.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 30 IoCs
description ioc Process File opened for modification \??\c:\users\admin\3d objects\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\downloads\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\searches\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\libraries\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\f:\$recycle.bin\s-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\documents\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\videos\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\music\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\links\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\music\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\videos\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\accountpictures\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\$recycle.bin\s-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe File opened for modification \??\c:\users\public\pictures\desktop.ini 2f2d4eb24662c916f822f9c3fd55c9b2.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 2f2d4eb24662c916f822f9c3fd55c9b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4748 WMIC.exe Token: SeSecurityPrivilege 4748 WMIC.exe Token: SeTakeOwnershipPrivilege 4748 WMIC.exe Token: SeLoadDriverPrivilege 4748 WMIC.exe Token: SeSystemProfilePrivilege 4748 WMIC.exe Token: SeSystemtimePrivilege 4748 WMIC.exe Token: SeProfSingleProcessPrivilege 4748 WMIC.exe Token: SeIncBasePriorityPrivilege 4748 WMIC.exe Token: SeCreatePagefilePrivilege 4748 WMIC.exe Token: SeBackupPrivilege 4748 WMIC.exe Token: SeRestorePrivilege 4748 WMIC.exe Token: SeShutdownPrivilege 4748 WMIC.exe Token: SeDebugPrivilege 4748 WMIC.exe Token: SeSystemEnvironmentPrivilege 4748 WMIC.exe Token: SeRemoteShutdownPrivilege 4748 WMIC.exe Token: SeUndockPrivilege 4748 WMIC.exe Token: SeManageVolumePrivilege 4748 WMIC.exe Token: 33 4748 WMIC.exe Token: 34 4748 WMIC.exe Token: 35 4748 WMIC.exe Token: 36 4748 WMIC.exe Token: SeIncreaseQuotaPrivilege 4748 WMIC.exe Token: SeSecurityPrivilege 4748 WMIC.exe Token: SeTakeOwnershipPrivilege 4748 WMIC.exe Token: SeLoadDriverPrivilege 4748 WMIC.exe Token: SeSystemProfilePrivilege 4748 WMIC.exe Token: SeSystemtimePrivilege 4748 WMIC.exe Token: SeProfSingleProcessPrivilege 4748 WMIC.exe Token: SeIncBasePriorityPrivilege 4748 WMIC.exe Token: SeCreatePagefilePrivilege 4748 WMIC.exe Token: SeBackupPrivilege 4748 WMIC.exe Token: SeRestorePrivilege 4748 WMIC.exe Token: SeShutdownPrivilege 4748 WMIC.exe Token: SeDebugPrivilege 4748 WMIC.exe Token: SeSystemEnvironmentPrivilege 4748 WMIC.exe Token: SeRemoteShutdownPrivilege 4748 WMIC.exe Token: SeUndockPrivilege 4748 WMIC.exe Token: SeManageVolumePrivilege 4748 WMIC.exe Token: 33 4748 WMIC.exe Token: 34 4748 WMIC.exe Token: 35 4748 WMIC.exe Token: 36 4748 WMIC.exe Token: SeBackupPrivilege 4584 vssvc.exe Token: SeRestorePrivilege 4584 vssvc.exe Token: SeAuditPrivilege 4584 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 616 wrote to memory of 1484 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 111 PID 616 wrote to memory of 1484 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 111 PID 616 wrote to memory of 1484 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 111 PID 616 wrote to memory of 4708 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 109 PID 616 wrote to memory of 4708 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 109 PID 616 wrote to memory of 4708 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 109 PID 616 wrote to memory of 1744 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 107 PID 616 wrote to memory of 1744 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 107 PID 616 wrote to memory of 1744 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 107 PID 616 wrote to memory of 456 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 106 PID 616 wrote to memory of 456 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 106 PID 616 wrote to memory of 456 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 106 PID 616 wrote to memory of 2984 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 104 PID 616 wrote to memory of 2984 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 104 PID 616 wrote to memory of 2984 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 104 PID 616 wrote to memory of 2480 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 103 PID 616 wrote to memory of 2480 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 103 PID 616 wrote to memory of 2480 616 2f2d4eb24662c916f822f9c3fd55c9b2.exe 103 PID 456 wrote to memory of 4748 456 cmd.exe 100 PID 456 wrote to memory of 4748 456 cmd.exe 100 PID 456 wrote to memory of 4748 456 cmd.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2.exe"C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵PID:2480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:2984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
PID:456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵PID:1744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵PID:4708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵PID:1484
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
930B
MD5cd88b51760bc2a2fcca1a7f87bc11a72
SHA15d9c985f84b50e22ac8a73ebf84540a2fa9d1ed6
SHA2562db0bb385d7c468f80f1d1b6c8d6b1014b250e5097dc33396f67bfc6c1bedbdd
SHA512a2b2b19098923f14d34dce7a2a530009e3fb40594a5186bb69c483513d894733d36fd8457518c04d87bb57f10c9bb0c9a63c78872c2d0de7bdd3348e9ca1b4c3
-
Filesize
930B
MD50d8d289e6aa9da1068f6a094f69f1670
SHA1d676ae6e30953ccaae2f483f5e36c02c64ea1d38
SHA256903a4a7e28852f577936c73a4de1e51bf5df2c9124cb35d7492dd82cb86eec69
SHA512368e55dacdc33ef1f7a66bd07b4506c9a3e8912d537e04a43812433a51d504ae3fd0eb28a8f6888f5a5e90a4b6c7556347dfb984237bc428ad78f486072515e9
-
Filesize
13KB
MD544a6b83020d4f25cafb6869295f44a3f
SHA1489fed22d07835f0da1a7679ed7b8c54eb0aaf7d
SHA256ffa114c0aea0138e2300ff7124d8e5354e1a5698484e47307c2fb58a345da16a
SHA512c0ce0f7ddaef565d2cbb7425ec4208eb6973aa7c4e8e75526ad5ffdf279fead9fcfe559dee2865a65cedf27a43dc4f9c22145b3003a5b13c1d68daaa235523e3
-
Filesize
1KB
MD5416251992c72a849afbef2ef6709a456
SHA1372e1f25e14afb29082ed326f487a569d274ec95
SHA256853327c74d2a4976199ccb5d583267237d3cf5913866e0bd4d6f07feb7656e3e
SHA5127f0972ac78684cbced4a03bdb39bf74c1368eeda0ce3ef1d75aa4c63c72d85e0074a20a0e767e5ca43cdf2babcc21db51c336a489aa6123b5695ac2793b270b7
-
Filesize
4KB
MD52f56f45bfc6db4f5f7c1b5f304ea1a4b
SHA14d9cb4948f877afe1be85685cf5b4ba34662ab8b
SHA256a85b6b4b39c0f45884243440387fd338518a6d9cd1e2bc5ee38575d113dc00ff
SHA51254f550a0eb7e3393aba3c4a9fbaa25e825f05a5841e77a0a4a825f0d1756a48ada8350f19119899656466b7bddd115556906d5b9d39b12966247f9880b42a5cd