Analysis
-
max time kernel
600s -
max time network
372s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
Resource
win10v2004-20231215-en
General
-
Target
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
-
Size
3.2MB
-
MD5
6d44f8f3c1608e5958b40f9c6d7b6718
-
SHA1
9203ad3b6ffb7732591ef560965566555bce9d82
-
SHA256
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455
-
SHA512
656eb44b563705e1045b6a881b4f8a462ecf3bb8b2421cb18dfa21421629f7af92fe4b72736edfe3fea2ea13bef84f5faab5a78b8ef2b4f656a9055d0c4a22bd
-
SSDEEP
98304:wgwRevguPPFpugyxQkvA51nFbk+kUwWlGroD+1f:wgtv7ov5vqbk++AGkD+1f
Malware Config
Signatures
-
Detects Mimic ransomware 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016bfc-29.dat family_mimic behavioral1/files/0x0005000000019458-98.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" DC.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2088 bcdedit.exe 2648 bcdedit.exe -
Renames multiple (6285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3016 wbadmin.exe -
pid Process 2136 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangeadtopology.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangesa.exe YOURDATA.exe -
Deletes itself 1 IoCs
pid Process 1384 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2368 7za.exe 2720 7za.exe 2660 3usdaa.exe 3068 YOURDATA.exe 1928 DC.exe 848 YOURDATA.exe 2872 YOURDATA.exe 960 YOURDATA.exe 2420 Everything.exe 968 Everything.exe 208 xdel.exe 380 xdel.exe -
Loads dropped DLL 21 IoCs
pid Process 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 2660 3usdaa.exe 2660 3usdaa.exe 3068 YOURDATA.exe 2556 cmd.exe 960 YOURDATA.exe 848 YOURDATA.exe 2872 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open 3usdaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection DC.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\\YOURDATA.exe\" " 3usdaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\A: Everything.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol DC.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini DC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\[email protected] YOURDATA.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] YOURDATA.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\[email protected] YOURDATA.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\[email protected] YOURDATA.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3000USDAA\ = "mimicfile" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\.3000USDAA YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\exefile\shell 3usdaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open YOURDATA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1928 DC.exe 1928 DC.exe 1928 DC.exe 1928 DC.exe 3068 YOURDATA.exe 960 YOURDATA.exe 2872 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 3068 YOURDATA.exe 1388 powershell.exe 2404 powershell.exe 2044 powershell.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe 2872 YOURDATA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2368 7za.exe Token: 35 2368 7za.exe Token: SeRestorePrivilege 2720 7za.exe Token: 35 2720 7za.exe Token: SeSecurityPrivilege 2720 7za.exe Token: SeSecurityPrivilege 2720 7za.exe Token: SeIncreaseQuotaPrivilege 2660 3usdaa.exe Token: SeSecurityPrivilege 2660 3usdaa.exe Token: SeTakeOwnershipPrivilege 2660 3usdaa.exe Token: SeLoadDriverPrivilege 2660 3usdaa.exe Token: SeSystemProfilePrivilege 2660 3usdaa.exe Token: SeSystemtimePrivilege 2660 3usdaa.exe Token: SeProfSingleProcessPrivilege 2660 3usdaa.exe Token: SeIncBasePriorityPrivilege 2660 3usdaa.exe Token: SeCreatePagefilePrivilege 2660 3usdaa.exe Token: SeBackupPrivilege 2660 3usdaa.exe Token: SeRestorePrivilege 2660 3usdaa.exe Token: SeShutdownPrivilege 2660 3usdaa.exe Token: SeDebugPrivilege 2660 3usdaa.exe Token: SeSystemEnvironmentPrivilege 2660 3usdaa.exe Token: SeChangeNotifyPrivilege 2660 3usdaa.exe Token: SeRemoteShutdownPrivilege 2660 3usdaa.exe Token: SeUndockPrivilege 2660 3usdaa.exe Token: SeManageVolumePrivilege 2660 3usdaa.exe Token: SeImpersonatePrivilege 2660 3usdaa.exe Token: SeCreateGlobalPrivilege 2660 3usdaa.exe Token: 33 2660 3usdaa.exe Token: 34 2660 3usdaa.exe Token: 35 2660 3usdaa.exe Token: SeIncreaseQuotaPrivilege 3068 YOURDATA.exe Token: SeSecurityPrivilege 3068 YOURDATA.exe Token: SeTakeOwnershipPrivilege 3068 YOURDATA.exe Token: SeLoadDriverPrivilege 3068 YOURDATA.exe Token: SeSystemProfilePrivilege 3068 YOURDATA.exe Token: SeSystemtimePrivilege 3068 YOURDATA.exe Token: SeProfSingleProcessPrivilege 3068 YOURDATA.exe Token: SeIncBasePriorityPrivilege 3068 YOURDATA.exe Token: SeCreatePagefilePrivilege 3068 YOURDATA.exe Token: SeBackupPrivilege 3068 YOURDATA.exe Token: SeRestorePrivilege 3068 YOURDATA.exe Token: SeShutdownPrivilege 3068 YOURDATA.exe Token: SeDebugPrivilege 3068 YOURDATA.exe Token: SeSystemEnvironmentPrivilege 3068 YOURDATA.exe Token: SeChangeNotifyPrivilege 3068 YOURDATA.exe Token: SeRemoteShutdownPrivilege 3068 YOURDATA.exe Token: SeUndockPrivilege 3068 YOURDATA.exe Token: SeManageVolumePrivilege 3068 YOURDATA.exe Token: SeImpersonatePrivilege 3068 YOURDATA.exe Token: SeCreateGlobalPrivilege 3068 YOURDATA.exe Token: 33 3068 YOURDATA.exe Token: 34 3068 YOURDATA.exe Token: 35 3068 YOURDATA.exe Token: SeDebugPrivilege 1928 DC.exe Token: SeAssignPrimaryTokenPrivilege 1928 DC.exe Token: SeIncreaseQuotaPrivilege 1928 DC.exe Token: 0 1928 DC.exe Token: SeIncreaseQuotaPrivilege 960 YOURDATA.exe Token: SeSecurityPrivilege 960 YOURDATA.exe Token: SeTakeOwnershipPrivilege 960 YOURDATA.exe Token: SeLoadDriverPrivilege 960 YOURDATA.exe Token: SeSystemProfilePrivilege 960 YOURDATA.exe Token: SeSystemtimePrivilege 960 YOURDATA.exe Token: SeProfSingleProcessPrivilege 960 YOURDATA.exe Token: SeIncBasePriorityPrivilege 960 YOURDATA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2420 Everything.exe 968 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2368 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 28 PID 3036 wrote to memory of 2368 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 28 PID 3036 wrote to memory of 2368 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 28 PID 3036 wrote to memory of 2368 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 28 PID 3036 wrote to memory of 2720 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 30 PID 3036 wrote to memory of 2720 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 30 PID 3036 wrote to memory of 2720 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 30 PID 3036 wrote to memory of 2720 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 30 PID 3036 wrote to memory of 2660 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 32 PID 3036 wrote to memory of 2660 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 32 PID 3036 wrote to memory of 2660 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 32 PID 3036 wrote to memory of 2660 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 32 PID 2660 wrote to memory of 3068 2660 3usdaa.exe 33 PID 2660 wrote to memory of 3068 2660 3usdaa.exe 33 PID 2660 wrote to memory of 3068 2660 3usdaa.exe 33 PID 2660 wrote to memory of 3068 2660 3usdaa.exe 33 PID 3068 wrote to memory of 2556 3068 YOURDATA.exe 34 PID 3068 wrote to memory of 2556 3068 YOURDATA.exe 34 PID 3068 wrote to memory of 2556 3068 YOURDATA.exe 34 PID 3068 wrote to memory of 2556 3068 YOURDATA.exe 34 PID 2556 wrote to memory of 1928 2556 cmd.exe 36 PID 2556 wrote to memory of 1928 2556 cmd.exe 36 PID 2556 wrote to memory of 1928 2556 cmd.exe 36 PID 2556 wrote to memory of 1928 2556 cmd.exe 36 PID 3068 wrote to memory of 848 3068 YOURDATA.exe 37 PID 3068 wrote to memory of 848 3068 YOURDATA.exe 37 PID 3068 wrote to memory of 848 3068 YOURDATA.exe 37 PID 3068 wrote to memory of 848 3068 YOURDATA.exe 37 PID 3068 wrote to memory of 2872 3068 YOURDATA.exe 38 PID 3068 wrote to memory of 2872 3068 YOURDATA.exe 38 PID 3068 wrote to memory of 2872 3068 YOURDATA.exe 38 PID 3068 wrote to memory of 2872 3068 YOURDATA.exe 38 PID 3068 wrote to memory of 960 3068 YOURDATA.exe 39 PID 3068 wrote to memory of 960 3068 YOURDATA.exe 39 PID 3068 wrote to memory of 960 3068 YOURDATA.exe 39 PID 3068 wrote to memory of 960 3068 YOURDATA.exe 39 PID 3068 wrote to memory of 2420 3068 YOURDATA.exe 41 PID 3068 wrote to memory of 2420 3068 YOURDATA.exe 41 PID 3068 wrote to memory of 2420 3068 YOURDATA.exe 41 PID 3068 wrote to memory of 2420 3068 YOURDATA.exe 41 PID 3036 wrote to memory of 1384 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 42 PID 3036 wrote to memory of 1384 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 42 PID 3036 wrote to memory of 1384 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 42 PID 3036 wrote to memory of 1384 3036 a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe 42 PID 3068 wrote to memory of 2360 3068 YOURDATA.exe 46 PID 3068 wrote to memory of 2360 3068 YOURDATA.exe 46 PID 3068 wrote to memory of 2360 3068 YOURDATA.exe 46 PID 3068 wrote to memory of 2360 3068 YOURDATA.exe 46 PID 3068 wrote to memory of 1164 3068 YOURDATA.exe 48 PID 3068 wrote to memory of 1164 3068 YOURDATA.exe 48 PID 3068 wrote to memory of 1164 3068 YOURDATA.exe 48 PID 3068 wrote to memory of 1164 3068 YOURDATA.exe 48 PID 3068 wrote to memory of 964 3068 YOURDATA.exe 50 PID 3068 wrote to memory of 964 3068 YOURDATA.exe 50 PID 3068 wrote to memory of 964 3068 YOURDATA.exe 50 PID 3068 wrote to memory of 964 3068 YOURDATA.exe 50 PID 3068 wrote to memory of 1904 3068 YOURDATA.exe 51 PID 3068 wrote to memory of 1904 3068 YOURDATA.exe 51 PID 3068 wrote to memory of 1904 3068 YOURDATA.exe 51 PID 3068 wrote to memory of 1904 3068 YOURDATA.exe 51 PID 3068 wrote to memory of 1548 3068 YOURDATA.exe 62 PID 3068 wrote to memory of 1548 3068 YOURDATA.exe 62 PID 3068 wrote to memory of 1548 3068 YOURDATA.exe 62 PID 3068 wrote to memory of 1548 3068 YOURDATA.exe 62 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your data on your system has been encrypted by us....\n\nWe want you to know that you will not get your data back with the usual data recovery methods...\n\nWe will restore your data for 3000 dollars.\n\nYou can send an e-mail with your reference code below\n\nWe Do Not Negotiate \nWe do not give discounts.\nThe price is very reasonable\n\n\n######################################################################\n\nIf you contact me to ask for a discount or to negotiate, I will increase the price I offer.\n\n######################################################################\n\nWhen you send us an e-mail, please send us your reference code below\n\n=> YOUR REFERENCE CODE <=\n\n7LI1HIE4hVC9-eJAezCJEQ5KfqBF-45EESK93vSiak0*[email protected]\n\n=> OUR E-MAIL ADDRESS <=\n\[email protected]\[email protected]\[email protected]" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = " " YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe"C:\Users\Admin\AppData\Local\Temp\a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p58042791667523172 Everything64.dll2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"3⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\DC.exeDC.exe /D5⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e watch -pid 3068 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -H off4⤵PID:2360
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1164
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:964
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1904
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:2452
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1404
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1836
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2868
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1280
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:708
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1548
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:984
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1664
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1832
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2088
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:2136
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:3016
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2648
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:968
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\----Read-Me-----.txt"4⤵PID:2088
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe" -accepteula -p 1 -c F:\4⤵
- Executes dropped EXE
PID:208
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe" -accepteula -p 1 -c C:\4⤵
- Executes dropped EXE
PID:380
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
PID:1384
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1104
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2512
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2672
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2820
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD51b1aa251f3fdef28aff78edfd34d2901
SHA13ea67d4f747d53c5f948f3f442a7b2687dcad7d5
SHA2569d1e253c902385f95920a1869e4cd0c538fecf8a394795160fdc81ba405202b3
SHA512be865b9404d3564ff358c01ad392df0cfedb405b4efa5cf7fa7ae5b293e9ac6637c61c96797cadb77829f9d1c059254024072fbd495c1e4b0ea82947420b344a
-
Filesize
300B
MD5e1a82f783e5da276aaee7cd82b8f0634
SHA108ee4d34971a8a1d237b9fb44025b75552c25ab1
SHA256785df04aad0f47e60a439c7c9a495cd6143d3f8f7f39435f687df0ac5f5e232f
SHA5124b4a9345c6dc53fbc74ce92bc436d93082f6b6cd3483614a28bd58aea96d49b2d760d39e3207c1fad90fa2eb550007d2bbb0da3d7bab86fea20918299cba3006
-
Filesize
2.9MB
MD5a02157550bc9b491fd03cad394ccdfe7
SHA1108b7428e779d5caa7854a1a4dfa5ca42f292f04
SHA256a15d1311e02cffd67a0db25cb0d6b2ccd3fc457d0bd76d7d2a4a462bbad6356a
SHA512bea12edb6be3921ed25b4b3210ff53f8224c35c3d789864fc86991db972e0a3066af9d5891814153a6091c9dad4deedf3f0879a4dd632e3398864c9f2b6d1022
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
2.3MB
MD5c576119a8bae4d63560ee48893aced8f
SHA17c46e928379715faa8ac3fb381264f86fcb17ef8
SHA25669d9d97db25a2058c3ad1809356b8e61252e5884dc8122f1a942bf9afa5b1913
SHA51293e1e7eb9d0fd6a6c7c8f2183345d2e17d68748ec0a6e2b1406a3fcf01843ea099680400438ba390001673b9d964bbd2be22f45e0b5bc48b71b1b057673f5d56
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
9.3MB
MD57ef9a3681c621d2900e4c1499721131b
SHA11e326f4df528f0e46dc848649aea14e898eb2f58
SHA25632cc35f86c89aa41d309c704eded7be1b8eaba0fbb51801166b0e64f28b5bc66
SHA512a0bbc1d5268b5f72a542e6984170dd7359f2d529e83a33d44237f103adc33699df625514a9184fdca98eccde80078fe6483876d623f52b02fe50c95b20757203
-
Filesize
20KB
MD55ba8b6c385b3f8fc6f6415773ef9c590
SHA18c5b688d6a057c8f94400a5eeedfec01805d7f72
SHA2565d1db55cb3b41dd9b4dfa5661fcd5edb459a02dc32af947e0dfb45ded01e9698
SHA5122ddf1dc4d22e3e0c59ca2b751acbabbdee5834690448881ab6234e542cc5ac974da8c52c499431ed204276433ac66ac56652760bae45673bfea7af2a189ac616
-
Filesize
2.8MB
MD5623d41b2b7002fbea982038e7c26d316
SHA15d2378ec4c2c337c7cd7e3736cc401f9be955cc8
SHA256b220470bbab0dc39b6566703e82ca7ef2f67b35897254b56ebc2b4bb2364bc1f
SHA51220589b22e109b42fbb099054c7acf6da5286a9e82eef2b708a59d3ea570209ca6ea2d93bf76c450d591cb1a7c2758ceab34b1595ee796505737bdc72e37728b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e30d7d09c5d4eacd834cc172882114b5
SHA19ecdbb4bf8dd7aa5706813dcd96d99ab6d3ac24a
SHA256aae2a7276cee53e00179127d37cb4530a8fba9e7c1955315b29415c1217f5829
SHA5121f2cf307376552219c9d9306f483a7ac0a877b74c290b9afbbbcf97479cb5e1f5096ecb77c85307ed4db2ccf04ba61e5a7a8fd0a389bc71956f7afa223fc150a
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
31KB
MD5e2cd5b4267efe9c1c964f9030cda58b6
SHA18d2732b0b6bd89ef4065448b628760006d3313e4
SHA25621770feab42582781b28c57abffd7f1cdc5f5422ddb17498cf58dc95c15b23b0
SHA5120b129a4f5bebb1f036c8386d5f882029d7dced17cdfd86e7b4dea6daa81aa906148a6d8cbcb23905117c93d1ce47f8b9f2c8e47ec484910b48a20f3977470e0b
-
Filesize
31KB
MD5d416b03ab9a25f628ab8b1ef2391d5a6
SHA16f6e4e0cbcfbb9a71b252562c12a19c2ece17e05
SHA2564a0fb3fa5c03cc62be96c7db3cd23a9837b9330bfde06ed2fe718c849166bbb1
SHA512add4439274056aac1e43ae5ecdeb14a8d4e0402bae8a2a05db13341d6f5237320eb80edf7095d91607e42bff8d13404fbe4a9b1d15ca6655698d5ad3611ca3a7
-
Filesize
32B
MD5597f5c6b723bc8e97f6c36fea52fb8a5
SHA1d61e126543665d7a255ea24a592b67f80280e4c2
SHA256c532566620757eb569ed0e05caf6eadb159adfe4d44678a66ab4aca014d31416
SHA5128b7f1bc29a0e1d53d978edf501bb8f7137e8b9cb31653bb9696cfeb79288f1810ac9cae9a654f6dfc71388ebc7cdb3617e63c7e2895c2adcc04f120a6d7289da
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5