42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92

General

Target

42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
Size

4.6MB
MD5

30803c7dd34a425b0e5a62a782576148
SHA1

41a65c6a96ad29fe2a33cae37938fa927ba202e7
SHA256

42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92
SHA512

ad5d6f994501fcf0a38d015f4aa83e06fbb9c09f667e333fbc78c4a9b5c5341b77ea975a57f35b0d861b379cff6410578ad51221668dec2aa4926d22770b9e9c
SSDEEP

49152:i9b8Scr3fzHowpVjg7eB4z17/nhzk/E5Xgg2Ju9omuMgcs4Ty5hPLZPwDBQH2/5x:i1uPzHowIE4Fhzk/0jQ9DtcQypMJ

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Hello! All your files are encrypted, write to me if you want to return your files - I can do it very quickly! Contact me by email: [email protected] or [email protected] The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!! To contact us, we recommend that you create an email address at protonmail.com or tutanota.com Because gmail and other public email programs can block our messages!

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Program Files directory 64 IoCs

Processes:

42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Microsoft Office\root\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
File created	C:\Program Files\7-Zip\Lang\HOW TO RESTORE YOUR FILES.TXT	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4148 sc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1868 vssadmin.exe

pid	process
4148	sc.exe

pid	process
1868	vssadmin.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.execmd.exe

description	pid	process	target process
PID 2100 wrote to memory of 1528	2100	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe	cmd.exe
PID 2100 wrote to memory of 1528	2100	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe	cmd.exe
PID 1528 wrote to memory of 4148	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 4148	1528	cmd.exe	sc.exe
PID 1528 wrote to memory of 728	1528	cmd.exe	findstr.exe
PID 1528 wrote to memory of 728	1528	cmd.exe	findstr.exe
PID 2100 wrote to memory of 3160	2100	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe	cmd.exe
PID 2100 wrote to memory of 3160	2100	42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\joptbcwtomenivj.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\system32\findstr.exe
  FINDSTR SERVICE_NAME
  2⤵
  PID:728
- C:\Windows\system32\sc.exe
  SC QUERY
  2⤵
  - Launches sc.exe
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axubusosebavhx.bat
1⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
"C:\Users\Admin\AppData\Local\Temp\42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfbief.bat
  2⤵
  PID:532
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oueodergtfpnqblobiv.bat
  2⤵
  PID:2680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\joptbcwtomenivj.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit

Analysis

Sharing