ffae5b02b5b5325aefe3e052e88addf813fd5c4aad4520d68156d17cccef7277

Analysis

max time kernel
194s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readtext18.exe
Size

415KB
MD5

a228a558e5c42c077617829c28ee70a2
SHA1

cebf3a5eb692e165bdf9c02c27a10f6fa1adb6b2
SHA256

ffae5b02b5b5325aefe3e052e88addf813fd5c4aad4520d68156d17cccef7277
SHA512

fd918b2fd9756cfa04ff8dde093807a41858826fabbef978ceb5053c157279fb176a601bf3ea8c4fd62d8d9f7834a3bfa5254d86a0c0469ed954b8c1417b2c21
SSDEEP

6144:zcgS/jzUFtC80S2qfjoT0K2xuVzg/tjwN56gZmSubY0fxauJyaqesvzgv3:IgbvCIb0920Zg/hIQ6OBgqI63

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\How_to_back_filess.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">8PDLyOJnwU3kPEJKtbkWgifWCJxkr8QEjmFTBDIwk7KsXtFUxmmdZ2ddgAp11AeywBJBedPXATgsdAn+a15Gpj+iv395ccuF2gq7aqCSlgsO4LAeaNqG/mRtT1DAPz10mfr36Txw3PvTQdGkLhhQ6luMQl6HCQzft+IDWSbJOilHXmGz8mj0zaOx1WwF29CkUwlsw8/XPdjpHeDxI5Rh/UqmKRAjd+hIuuSmtPLoNxy4bVgfCI+9jxo8pGH1oPhZPI1vh7L7Purz+1V4VOfFik7ZMLzM+Q/ZqjsgXepDYi6ZbnRttjmyJS0IJ72Z11VwFR21yILgyu3Fui/8TWB8oTfqZtWJxhe5W4zMGG3JPzxqq0HhhiShWIof8dIPs9j7blEh9b8hMsAkTPytmUyon+tTa6zKqHeDj8HX/7BwgHcpH2cgrtovF7kML69WVjz8yJ/QkVGD3A2KkG4hnzgkQQHAxO1gYnedFisIjKzmjuLXjwvIMrFU/UqQPQa66GvIaAPkz9ys+4P9syaiEz2rDzVem4ngfjhFli8G5KHky4p5HcsJ8G5VW1xPj0B23NyaWACRlBfJGHG1VdSwyqvz34qmOAh88TDzkUUg6FurI1Iqpnh6Bz/Oz2nfAlmqfSH6lX4fmPzJl5u9JObJYDit1HBBIzEOr2Ta9P3bZaSwVJmlkqXHQ3fz6ycGmkWHZ/bDjZxZOCCQ6pPcm0EIa8KKJqkDjIDGZhTzfDCckM/YFgqBXfy2amZ2ISfW1Ht9lrYu4mG31MOhaWQp8eIN6ocsSHvg81JT8daohjHlDcwq/jerWzgFO2I5CPZDsTsWN9gJ5KizIr9m6fVDVBOlDZPs+FNdg5wPX4C3GvDueXoEffNJpo72xlj0in4dyD5ZLL8JJpO0ly0hmcpztqmhAvqtFMmXVjgZ+b3Jr8xk7RcLfNFw4xSuYV+cCeK0QIP3Zq6mC/E71kNNCVTdfWNPGTF4X1I+FBxSDscBaaPfyOKELETRs6Nn9R/NBQjRlcif056Wtw/Hvw42KwbRQv78+mUQdmQWNL5/fyZVNhcX2J6BUGtlCJfM1cHlLz8W+g8cu8+xsy9E+tBdqsSgLiRhZ0tkcLfxNTpC4MPNxrVQzShdNczpnmNKOpKX1eShovkG/GAwBK3qCcs6dCNS44kjfoCNYQRLO9N2hQ2O60EY/KGOYQzk27f+IpsXRiLKAmQr4dt0S43Zah+EyfMlw71YbItRASMcvtbV5zuq83SbtwW/CkLj/P9OLh+GhL0Pe63c8m5Yqjs6ISZle3iOv5qHEpkDvF7oxXfDlAyP6YZ2dONaeCD8iSuNe1a0L3XmuKtKsGdo82WEAzdJFDn3BHEEvTdLRbmdg/lnlUTVM0f/+aEX6W9Ls9Mar64107TeHjUVpRczH9xBlGS6f+vLe3Vmu6nkkq5aX+94dKtBAFnDlWVheZdM8twPPwEIsrLqfhQpCn6ORkGW9Px82JCR0+agKa6EJNHNOpy9idEGB8ogK+h1InezUUNLY1UPXuxT9nUAMyt7EcgfNT2ba0yRTl3FlXmddUNtKeZzWzonLCXxuO0QqtO7ykJh35U5HK/lhrE5H1l8DQ38SQSAbulhXITR1aO/BN18lrM8/G3FNwuB+GUys2oFoev20Jpnk/vgw5Y8f6YaW5qBtNOuMSBm+UwnHwaN+fCEI52bbbwxMkF4eotZjCs=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected]@tagorix.com "> [email protected]@tagorix.com </a> <br> <a href="[email protected] [email protected] "> [email protected] [email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]@tagorix.com

[email protected]@tagorix.com

href="[email protected]

[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2240 created 3352	2240	readtext18.exe	64

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5040	bcdedit.exe
1284	bcdedit.exe

Renames multiple (116) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4044	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3004	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\readtext18.exe\""	readtext18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\readtext18.exe\""	readtext18.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	readtext18.exe
File opened (read-only)	\??\W:	readtext18.exe
File opened (read-only)	\??\J:	readtext18.exe
File opened (read-only)	\??\K:	readtext18.exe
File opened (read-only)	\??\O:	readtext18.exe
File opened (read-only)	\??\S:	readtext18.exe
File opened (read-only)	\??\T:	readtext18.exe
File opened (read-only)	\??\F:	readtext18.exe
File opened (read-only)	\??\A:	readtext18.exe
File opened (read-only)	\??\E:	readtext18.exe
File opened (read-only)	\??\N:	readtext18.exe
File opened (read-only)	\??\P:	readtext18.exe
File opened (read-only)	\??\Z:	readtext18.exe
File opened (read-only)	\??\G:	readtext18.exe
File opened (read-only)	\??\I:	readtext18.exe
File opened (read-only)	\??\L:	readtext18.exe
File opened (read-only)	\??\R:	readtext18.exe
File opened (read-only)	\??\X:	readtext18.exe
File opened (read-only)	\??\Y:	readtext18.exe
File opened (read-only)	\??\B:	readtext18.exe
File opened (read-only)	\??\H:	readtext18.exe
File opened (read-only)	\??\M:	readtext18.exe
File opened (read-only)	\??\Q:	readtext18.exe
File opened (read-only)	\??\U:	readtext18.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\How_to_back_filess.html	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	readtext18.exe
File opened for modification	C:\Program Files\CheckpointStep.wax	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui	readtext18.exe
File created	C:\Program Files\7-Zip\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\How_to_back_filess.html	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	readtext18.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	readtext18.exe
File created	C:\Program Files\Common Files\DESIGNER\How_to_back_filess.html	readtext18.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	readtext18.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	readtext18.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3432	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
4600	taskkill.exe
4860	taskkill.exe
4464	taskkill.exe
908	taskkill.exe
1440	taskkill.exe
620	taskkill.exe
3176	taskkill.exe
3332	taskkill.exe
228	taskkill.exe
3508	taskkill.exe
4848	taskkill.exe
3696	taskkill.exe
2596	taskkill.exe
2500	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: 36	2516	WMIC.exe
Token: SeBackupPrivilege	3988	vssvc.exe
Token: SeRestorePrivilege	3988	vssvc.exe
Token: SeAuditPrivilege	3988	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4848	2240	readtext18.exe	90
PID 2240 wrote to memory of 4848	2240	readtext18.exe	90
PID 2240 wrote to memory of 4848	2240	readtext18.exe	90
PID 4848 wrote to memory of 2300	4848	cmd.exe	95
PID 4848 wrote to memory of 2300	4848	cmd.exe	95
PID 2240 wrote to memory of 4784	2240	readtext18.exe	96
PID 2240 wrote to memory of 4784	2240	readtext18.exe	96
PID 2240 wrote to memory of 4784	2240	readtext18.exe	96
PID 4784 wrote to memory of 3908	4784	cmd.exe	98
PID 4784 wrote to memory of 3908	4784	cmd.exe	98
PID 3908 wrote to memory of 2596	3908	cmd.exe	99
PID 3908 wrote to memory of 2596	3908	cmd.exe	99
PID 2240 wrote to memory of 2172	2240	readtext18.exe	100
PID 2240 wrote to memory of 2172	2240	readtext18.exe	100
PID 2240 wrote to memory of 2172	2240	readtext18.exe	100
PID 2172 wrote to memory of 3152	2172	cmd.exe	103
PID 2172 wrote to memory of 3152	2172	cmd.exe	103
PID 3152 wrote to memory of 4464	3152	cmd.exe	104
PID 3152 wrote to memory of 4464	3152	cmd.exe	104
PID 2240 wrote to memory of 1844	2240	readtext18.exe	105
PID 2240 wrote to memory of 1844	2240	readtext18.exe	105
PID 2240 wrote to memory of 1844	2240	readtext18.exe	105
PID 1844 wrote to memory of 3972	1844	cmd.exe	107
PID 1844 wrote to memory of 3972	1844	cmd.exe	107
PID 3972 wrote to memory of 3176	3972	cmd.exe	108
PID 3972 wrote to memory of 3176	3972	cmd.exe	108
PID 2240 wrote to memory of 4880	2240	readtext18.exe	109
PID 2240 wrote to memory of 4880	2240	readtext18.exe	109
PID 2240 wrote to memory of 4880	2240	readtext18.exe	109
PID 4880 wrote to memory of 1800	4880	cmd.exe	111
PID 4880 wrote to memory of 1800	4880	cmd.exe	111
PID 1800 wrote to memory of 228	1800	cmd.exe	112
PID 1800 wrote to memory of 228	1800	cmd.exe	112
PID 2240 wrote to memory of 4480	2240	readtext18.exe	113
PID 2240 wrote to memory of 4480	2240	readtext18.exe	113
PID 2240 wrote to memory of 4480	2240	readtext18.exe	113
PID 4480 wrote to memory of 564	4480	cmd.exe	115
PID 4480 wrote to memory of 564	4480	cmd.exe	115
PID 564 wrote to memory of 908	564	cmd.exe	116
PID 564 wrote to memory of 908	564	cmd.exe	116
PID 2240 wrote to memory of 3192	2240	readtext18.exe	117
PID 2240 wrote to memory of 3192	2240	readtext18.exe	117
PID 2240 wrote to memory of 3192	2240	readtext18.exe	117
PID 3192 wrote to memory of 4416	3192	cmd.exe	119
PID 3192 wrote to memory of 4416	3192	cmd.exe	119
PID 4416 wrote to memory of 4600	4416	cmd.exe	120
PID 4416 wrote to memory of 4600	4416	cmd.exe	120
PID 2240 wrote to memory of 3456	2240	readtext18.exe	121
PID 2240 wrote to memory of 3456	2240	readtext18.exe	121
PID 2240 wrote to memory of 3456	2240	readtext18.exe	121
PID 3456 wrote to memory of 404	3456	cmd.exe	123
PID 3456 wrote to memory of 404	3456	cmd.exe	123
PID 404 wrote to memory of 2500	404	cmd.exe	124
PID 404 wrote to memory of 2500	404	cmd.exe	124
PID 2240 wrote to memory of 1464	2240	readtext18.exe	125
PID 2240 wrote to memory of 1464	2240	readtext18.exe	125
PID 2240 wrote to memory of 1464	2240	readtext18.exe	125
PID 1464 wrote to memory of 2268	1464	cmd.exe	127
PID 1464 wrote to memory of 2268	1464	cmd.exe	127
PID 2268 wrote to memory of 3508	2268	cmd.exe	128
PID 2268 wrote to memory of 3508	2268	cmd.exe	128
PID 2240 wrote to memory of 1412	2240	readtext18.exe	129
PID 2240 wrote to memory of 1412	2240	readtext18.exe	129
PID 2240 wrote to memory of 1412	2240	readtext18.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\readtext18.exe
"C:\Users\Admin\AppData\Local\Temp\readtext18.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sql writer.exe
      4⤵
      Kills process with taskkill
      PID:4464
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3176
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msmdsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:228
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im MsDtsSrvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:908
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlceip.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4600
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdlauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2500
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im Ssms.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3508
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:5040
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im SQLAGENT.EXE
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:3620
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4848
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:4364
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4860
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:3100
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msftesql.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:4840
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im pg_ctl.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3696
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:3632
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:5108
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:4456
  - - C:\Windows\system32\net.exe
      net stop MSSQL$ISARS
      4⤵
      PID:4448
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        5⤵
        
        PID:4408
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:3792
  - - C:\Windows\system32\net.exe
      net stop MSSQL$MSFW
      4⤵
      PID:3924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        5⤵
        
        PID:872
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:3988
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      PID:1508
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        5⤵
        
        PID:1720
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1384
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$MSFW
      4⤵
      PID:5036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        5⤵
        
        PID:2452
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:640
  - - C:\Windows\system32\net.exe
      net stop SQLBrowser
      4⤵
      PID:1348
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:60
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:3176
  - - C:\Windows\system32\net.exe
      net stop REportServer$ISARS
      4⤵
      PID:4948
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        5⤵
        
        PID:2564
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:4120
  - - C:\Windows\system32\net.exe
      net stop SQLWriter
      4⤵
      PID:3132
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:2004
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4768
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3432
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4988
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5040
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:3596
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1284
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1768
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      Drops file in Windows directory
      PID:484
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1772
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:4044
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1800
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Deletes system backups
      PID:3004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3352
- C:\Users\Admin\AppData\Local\Temp\readtext18.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\readtext18.exe -network
  2⤵
  - Adds Run key to start application
  PID:4752

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\How_to_back_filess.html

Filesize
5KB

MD5
025fac0a6be96aa8367c90d33a24353e

SHA1
76c80e1505e2eaa9f3c3faa681f9a3b88715fb21

SHA256
5c9744999052970543c82c2151cf0f9e63bf871ba9b453d090bc1866ab496f1c

SHA512
f8e1d9939f7960d7d271b2e30278f33fea4dd9872e0f046185dd641309fa9f89334474206c6196c7ca2075bc0f24b7d3aab335acb431e7475dd937f6a39c8600

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads