Overview
overview
10Static
static
10samples2.zip
windows7-x64
1samples2.zip
windows10-2004-x64
1032e2e00eb...36.exe
windows7-x64
3032e2e00eb...36.exe
windows10-2004-x64
307e98c92e1...3b.exe
windows7-x64
807e98c92e1...3b.exe
windows10-2004-x64
80a045d39cb...35.exe
windows7-x64
70a045d39cb...35.exe
windows10-2004-x64
72d713e13f7...d3.exe
windows7-x64
12d713e13f7...d3.exe
windows10-2004-x64
137a83fd6b1...32.exe
windows7-x64
137a83fd6b1...32.exe
windows10-2004-x64
1390b31934a...56.exe
windows7-x64
9390b31934a...56.exe
windows10-2004-x64
94dc6bd447e...9d.exe
windows7-x64
14dc6bd447e...9d.exe
windows10-2004-x64
15300d74561...0d.exe
windows7-x64
105300d74561...0d.exe
windows10-2004-x64
105e7d11d6bd...c6.exe
windows7-x64
75e7d11d6bd...c6.exe
windows10-2004-x64
164c7d9f709...20.exe
windows7-x64
164c7d9f709...20.exe
windows10-2004-x64
17db03ff8a8...3a.exe
windows7-x64
17db03ff8a8...3a.exe
windows10-2004-x64
181cb6442c2...78.exe
windows7-x64
181cb6442c2...78.exe
windows10-2004-x64
18629ec2aed...11.exe
windows7-x64
18629ec2aed...11.exe
windows10-2004-x64
18b13ff52ff...ab.exe
windows7-x64
88b13ff52ff...ab.exe
windows10-2004-x64
890b4871229...11.exe
windows7-x64
790b4871229...11.exe
windows10-2004-x64
7Analysis
-
max time kernel
172s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 15:27
Behavioral task
behavioral1
Sample
samples2.zip
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
samples2.zip
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
032e2e00ebb50fcd0c1b56a4cfb9479683e15de23e336556ea3783038e18b536.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
032e2e00ebb50fcd0c1b56a4cfb9479683e15de23e336556ea3783038e18b536.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
07e98c92e1f9859a16b31df6aa5bc83c0d11d4f5f9d8a8ce5d7ddc1a0655a73b.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
07e98c92e1f9859a16b31df6aa5bc83c0d11d4f5f9d8a8ce5d7ddc1a0655a73b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
2d713e13f7941f69ff7978a16736aac4019955895a79636eed1738c1f6a3e0d3.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
2d713e13f7941f69ff7978a16736aac4019955895a79636eed1738c1f6a3e0d3.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
37a83fd6b1048433907502f8e50aabdcbae822388ea284e81e9ea1b199674732.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
37a83fd6b1048433907502f8e50aabdcbae822388ea284e81e9ea1b199674732.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
390b31934a8c6923fca53127953406a98231e4437a8523f242c072b0c38bb756.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
390b31934a8c6923fca53127953406a98231e4437a8523f242c072b0c38bb756.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
4dc6bd447edc955f853e3d624be982a77e219a0d8d78c9009ecfd0b6bf18049d.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
4dc6bd447edc955f853e3d624be982a77e219a0d8d78c9009ecfd0b6bf18049d.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
5e7d11d6bd11b09c4cc0c4ba54ebea19dcc06ae585d0508d3d8dba251075f4c6.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
5e7d11d6bd11b09c4cc0c4ba54ebea19dcc06ae585d0508d3d8dba251075f4c6.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
64c7d9f709c2e8f059e695db2b1dd84db7b1061ea0a445046603291749fb0920.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
64c7d9f709c2e8f059e695db2b1dd84db7b1061ea0a445046603291749fb0920.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
7db03ff8a8f7a96bff02870cd5975b06ac52f2816a7c4ee8f2473a301bea133a.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
7db03ff8a8f7a96bff02870cd5975b06ac52f2816a7c4ee8f2473a301bea133a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
81cb6442c2562274be3b9bc33c6fc5a4c5c43b0569494f857157eef1e9613178.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
81cb6442c2562274be3b9bc33c6fc5a4c5c43b0569494f857157eef1e9613178.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
8629ec2aedcf3d482ced397406a20fc49e64adf5eb52b717fa331730404de411.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
8629ec2aedcf3d482ced397406a20fc49e64adf5eb52b717fa331730404de411.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
8b13ff52ff84eff160a5c0b8c80c7bd336e5bcfef7730ce7a5c499f112632bab.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral30
Sample
8b13ff52ff84eff160a5c0b8c80c7bd336e5bcfef7730ce7a5c499f112632bab.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
90b4871229a8654c4258d4d470475e891b7db88407f53653a110de8d70fa4811.exe
Resource
win7-20231215-en
windows7-x64
General
-
Target
5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe
-
Size
453KB
-
MD5
15e64cc4e12006fd7bf95cdfdb2ad674
-
SHA1
f4a7023d943749b9aa5c373cc84b5ee6f2845717
-
SHA256
5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d
-
SHA512
596b44694970ecef43a4238c0d2e547844b40c75697e962893a0b21f248136de5a1bf27da7651a5f4eef073f595e5015d63fa0f99a1e39185cfeb5c3bdaf5bbc
-
SSDEEP
6144:selkSPS7kiuw4SEtOvgs25TfCxFu/4grGsBNcRMr5p6LnTAOzarKJ7nkxXTv:selk4Sgiuw40vfnxIXNcw6rTcr4eTv
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_RECOVER_FILES.txt
http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion
http://noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\W: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\F: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\A: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\G: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\H: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\L: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\N: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\B: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\J: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\R: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\T: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\Z: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\I: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\M: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\U: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\V: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\X: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\E: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\K: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\O: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\Q: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\S: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe File opened (read-only) \??\Y: 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 512 WMIC.exe Token: SeSecurityPrivilege 512 WMIC.exe Token: SeTakeOwnershipPrivilege 512 WMIC.exe Token: SeLoadDriverPrivilege 512 WMIC.exe Token: SeSystemProfilePrivilege 512 WMIC.exe Token: SeSystemtimePrivilege 512 WMIC.exe Token: SeProfSingleProcessPrivilege 512 WMIC.exe Token: SeIncBasePriorityPrivilege 512 WMIC.exe Token: SeCreatePagefilePrivilege 512 WMIC.exe Token: SeBackupPrivilege 512 WMIC.exe Token: SeRestorePrivilege 512 WMIC.exe Token: SeShutdownPrivilege 512 WMIC.exe Token: SeDebugPrivilege 512 WMIC.exe Token: SeSystemEnvironmentPrivilege 512 WMIC.exe Token: SeRemoteShutdownPrivilege 512 WMIC.exe Token: SeUndockPrivilege 512 WMIC.exe Token: SeManageVolumePrivilege 512 WMIC.exe Token: 33 512 WMIC.exe Token: 34 512 WMIC.exe Token: 35 512 WMIC.exe Token: 36 512 WMIC.exe Token: SeIncreaseQuotaPrivilege 512 WMIC.exe Token: SeSecurityPrivilege 512 WMIC.exe Token: SeTakeOwnershipPrivilege 512 WMIC.exe Token: SeLoadDriverPrivilege 512 WMIC.exe Token: SeSystemProfilePrivilege 512 WMIC.exe Token: SeSystemtimePrivilege 512 WMIC.exe Token: SeProfSingleProcessPrivilege 512 WMIC.exe Token: SeIncBasePriorityPrivilege 512 WMIC.exe Token: SeCreatePagefilePrivilege 512 WMIC.exe Token: SeBackupPrivilege 512 WMIC.exe Token: SeRestorePrivilege 512 WMIC.exe Token: SeShutdownPrivilege 512 WMIC.exe Token: SeDebugPrivilege 512 WMIC.exe Token: SeSystemEnvironmentPrivilege 512 WMIC.exe Token: SeRemoteShutdownPrivilege 512 WMIC.exe Token: SeUndockPrivilege 512 WMIC.exe Token: SeManageVolumePrivilege 512 WMIC.exe Token: 33 512 WMIC.exe Token: 34 512 WMIC.exe Token: 35 512 WMIC.exe Token: 36 512 WMIC.exe Token: SeBackupPrivilege 2876 vssvc.exe Token: SeRestorePrivilege 2876 vssvc.exe Token: SeAuditPrivilege 2876 vssvc.exe Token: SeIncreaseQuotaPrivilege 1732 WMIC.exe Token: SeSecurityPrivilege 1732 WMIC.exe Token: SeTakeOwnershipPrivilege 1732 WMIC.exe Token: SeLoadDriverPrivilege 1732 WMIC.exe Token: SeSystemProfilePrivilege 1732 WMIC.exe Token: SeSystemtimePrivilege 1732 WMIC.exe Token: SeProfSingleProcessPrivilege 1732 WMIC.exe Token: SeIncBasePriorityPrivilege 1732 WMIC.exe Token: SeCreatePagefilePrivilege 1732 WMIC.exe Token: SeBackupPrivilege 1732 WMIC.exe Token: SeRestorePrivilege 1732 WMIC.exe Token: SeShutdownPrivilege 1732 WMIC.exe Token: SeDebugPrivilege 1732 WMIC.exe Token: SeSystemEnvironmentPrivilege 1732 WMIC.exe Token: SeRemoteShutdownPrivilege 1732 WMIC.exe Token: SeUndockPrivilege 1732 WMIC.exe Token: SeManageVolumePrivilege 1732 WMIC.exe Token: 33 1732 WMIC.exe Token: 34 1732 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1584 wrote to memory of 4964 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 96 PID 1584 wrote to memory of 4964 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 96 PID 1584 wrote to memory of 4964 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 96 PID 4964 wrote to memory of 512 4964 cmd.exe 98 PID 4964 wrote to memory of 512 4964 cmd.exe 98 PID 4964 wrote to memory of 512 4964 cmd.exe 98 PID 1584 wrote to memory of 4636 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 103 PID 1584 wrote to memory of 4636 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 103 PID 1584 wrote to memory of 4636 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 103 PID 1584 wrote to memory of 3184 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 105 PID 1584 wrote to memory of 3184 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 105 PID 1584 wrote to memory of 3184 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 105 PID 1584 wrote to memory of 4252 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 107 PID 1584 wrote to memory of 4252 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 107 PID 1584 wrote to memory of 4252 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 107 PID 1584 wrote to memory of 4188 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 109 PID 1584 wrote to memory of 4188 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 109 PID 1584 wrote to memory of 4188 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 109 PID 1584 wrote to memory of 384 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 111 PID 1584 wrote to memory of 384 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 111 PID 1584 wrote to memory of 384 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 111 PID 1584 wrote to memory of 3188 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 113 PID 1584 wrote to memory of 3188 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 113 PID 1584 wrote to memory of 3188 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 113 PID 1584 wrote to memory of 2912 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 115 PID 1584 wrote to memory of 2912 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 115 PID 1584 wrote to memory of 2912 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 115 PID 1584 wrote to memory of 2208 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 117 PID 1584 wrote to memory of 2208 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 117 PID 1584 wrote to memory of 2208 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 117 PID 2208 wrote to memory of 1732 2208 cmd.exe 119 PID 2208 wrote to memory of 1732 2208 cmd.exe 119 PID 2208 wrote to memory of 1732 2208 cmd.exe 119 PID 1584 wrote to memory of 2408 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 120 PID 1584 wrote to memory of 2408 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 120 PID 1584 wrote to memory of 2408 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 120 PID 1584 wrote to memory of 1652 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 122 PID 1584 wrote to memory of 1652 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 122 PID 1584 wrote to memory of 1652 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 122 PID 1584 wrote to memory of 4824 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 124 PID 1584 wrote to memory of 4824 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 124 PID 1584 wrote to memory of 4824 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 124 PID 1584 wrote to memory of 3648 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 126 PID 1584 wrote to memory of 3648 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 126 PID 1584 wrote to memory of 3648 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 126 PID 1584 wrote to memory of 4616 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 128 PID 1584 wrote to memory of 4616 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 128 PID 1584 wrote to memory of 4616 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 128 PID 1584 wrote to memory of 3696 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 130 PID 1584 wrote to memory of 3696 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 130 PID 1584 wrote to memory of 3696 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 130 PID 1584 wrote to memory of 2596 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 132 PID 1584 wrote to memory of 2596 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 132 PID 1584 wrote to memory of 2596 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 132 PID 1584 wrote to memory of 4996 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 134 PID 1584 wrote to memory of 4996 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 134 PID 1584 wrote to memory of 4996 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 134 PID 4996 wrote to memory of 416 4996 cmd.exe 136 PID 4996 wrote to memory of 416 4996 cmd.exe 136 PID 4996 wrote to memory of 416 4996 cmd.exe 136 PID 1584 wrote to memory of 4936 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 137 PID 1584 wrote to memory of 4936 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 137 PID 1584 wrote to memory of 4936 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 137 PID 1584 wrote to memory of 3824 1584 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe 140 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe"C:\Users\Admin\AppData\Local\Temp\5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1584 -
C:\Windows\SysWOW64\cmd.execmd /c wmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:4636
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:02⤵PID:3184
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE BACKUP -deleteOldest2⤵PID:4252
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE BACKUP -keepVersions:02⤵PID:4188
-
-
C:\Windows\SysWOW64\cmd.execmd /c vssadmin Delete Shadows /All /Quiet2⤵PID:384
-
-
C:\Windows\SysWOW64\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵PID:3188
-
-
C:\Windows\SysWOW64\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:2912
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:2408
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:02⤵PID:1652
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE BACKUP -deleteOldest2⤵PID:4824
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE BACKUP -keepVersions:02⤵PID:3648
-
-
C:\Windows\SysWOW64\cmd.execmd /c vssadmin Delete Shadows /All /Quiet2⤵PID:4616
-
-
C:\Windows\SysWOW64\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵PID:3696
-
-
C:\Windows\SysWOW64\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE /nointeractive3⤵PID:416
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:4936
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:02⤵PID:3824
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE BACKUP -deleteOldest2⤵PID:3296
-
-
C:\Windows\SysWOW64\cmd.execmd /c wbadmin DELETE BACKUP -keepVersions:02⤵PID:4336
-
-
C:\Windows\SysWOW64\cmd.execmd /c vssadmin Delete Shadows /All /Quiet2⤵PID:2284
-
-
C:\Windows\SysWOW64\cmd.execmd /c bcdedit /set {default} recoveryenabled No2⤵PID:3980
-
-
C:\Windows\SysWOW64\cmd.execmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1176
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD591ce5f6175c8e4eb7c99616535b910f3
SHA179075d55fb0cace70c810059ee3c59ec2c55ecdd
SHA25612dad68d9a0d18736df2abf6b54d1db67e3ab91575d90408ea6e387f008b4867
SHA512452a54b9ffb3f24e70384b53ccbaac056c438bf175e33dc831242bd9ebe73aafecaf38dd5ee7dd102154c4389bb1cc1609b3c0254b4f16eb109d0e902fce4b81