d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
Size

42KB
MD5

8d809510a9ae7b8ef6fc6a25e5feaa22
SHA1

eb0888326adbbbdf1537a965c4d26c71549d43f6
SHA256

d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043
SHA512

a9ed43be1285f73fda873ee0e39070d4cb3b4b5bd1e69b1506a42f4827f22d0d2f0ad2d25f204ea288f97f6eef787bf0133d0b3659bb8e815f55ff74210e557c
SSDEEP

768:PO1oR/UVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDRufTwsylLO/Ov:PoS1FKnDtkuImTlLOe

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (8300) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2636	wbadmin.exe

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\423E.tmp.bmp"	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEMS.ICO	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324694.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\+README-WARNING+.txt	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21308_.GIF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.DPV	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\+README-WARNING+.txt	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00914_.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\logo.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\+README-WARNING+.txt	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\Sidebar.exe.mui	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237225.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN98.POC	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\InvokeJoin.vstm	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CAMERA.WAV	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1920	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2636	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	2572	wbengine.exe
Token: SeRestorePrivilege	2572	wbengine.exe
Token: SeSecurityPrivilege	2572	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2920	WMIC.exe
Token: SeSecurityPrivilege	2920	WMIC.exe
Token: SeTakeOwnershipPrivilege	2920	WMIC.exe
Token: SeLoadDriverPrivilege	2920	WMIC.exe
Token: SeSystemProfilePrivilege	2920	WMIC.exe
Token: SeSystemtimePrivilege	2920	WMIC.exe
Token: SeProfSingleProcessPrivilege	2920	WMIC.exe
Token: SeIncBasePriorityPrivilege	2920	WMIC.exe
Token: SeCreatePagefilePrivilege	2920	WMIC.exe
Token: SeBackupPrivilege	2920	WMIC.exe
Token: SeRestorePrivilege	2920	WMIC.exe
Token: SeShutdownPrivilege	2920	WMIC.exe
Token: SeDebugPrivilege	2920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2920	WMIC.exe
Token: SeRemoteShutdownPrivilege	2920	WMIC.exe
Token: SeUndockPrivilege	2920	WMIC.exe
Token: SeManageVolumePrivilege	2920	WMIC.exe
Token: 33	2920	WMIC.exe
Token: 34	2920	WMIC.exe
Token: 35	2920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2920	WMIC.exe
Token: SeSecurityPrivilege	2920	WMIC.exe
Token: SeTakeOwnershipPrivilege	2920	WMIC.exe
Token: SeLoadDriverPrivilege	2920	WMIC.exe
Token: SeSystemProfilePrivilege	2920	WMIC.exe
Token: SeSystemtimePrivilege	2920	WMIC.exe
Token: SeProfSingleProcessPrivilege	2920	WMIC.exe
Token: SeIncBasePriorityPrivilege	2920	WMIC.exe
Token: SeCreatePagefilePrivilege	2920	WMIC.exe
Token: SeBackupPrivilege	2920	WMIC.exe
Token: SeRestorePrivilege	2920	WMIC.exe
Token: SeShutdownPrivilege	2920	WMIC.exe
Token: SeDebugPrivilege	2920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2920	WMIC.exe
Token: SeRemoteShutdownPrivilege	2920	WMIC.exe
Token: SeUndockPrivilege	2920	WMIC.exe
Token: SeManageVolumePrivilege	2920	WMIC.exe
Token: 33	2920	WMIC.exe
Token: 34	2920	WMIC.exe
Token: 35	2920	WMIC.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2708	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	27
PID 2080 wrote to memory of 2708	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	27
PID 2080 wrote to memory of 2708	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	27
PID 2080 wrote to memory of 2708	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	27
PID 2708 wrote to memory of 1920	2708	cmd.exe	30
PID 2708 wrote to memory of 1920	2708	cmd.exe	30
PID 2708 wrote to memory of 1920	2708	cmd.exe	30
PID 2708 wrote to memory of 2636	2708	cmd.exe	34
PID 2708 wrote to memory of 2636	2708	cmd.exe	34
PID 2708 wrote to memory of 2636	2708	cmd.exe	34
PID 2708 wrote to memory of 2920	2708	cmd.exe	38
PID 2708 wrote to memory of 2920	2708	cmd.exe	38
PID 2708 wrote to memory of 2920	2708	cmd.exe	38
PID 2080 wrote to memory of 2936	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	45
PID 2080 wrote to memory of 2936	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	45
PID 2080 wrote to memory of 2936	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	45
PID 2080 wrote to memory of 2936	2080	d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe	45
PID 2936 wrote to memory of 2636	2936	cmd.exe	47
PID 2936 wrote to memory of 2636	2936	cmd.exe	47
PID 2936 wrote to memory of 2636	2936	cmd.exe	47
PID 2936 wrote to memory of 2636	2936	cmd.exe	47
PID 2936 wrote to memory of 1520	2936	cmd.exe	48
PID 2936 wrote to memory of 1520	2936	cmd.exe	48
PID 2936 wrote to memory of 1520	2936	cmd.exe	48
PID 2936 wrote to memory of 1520	2936	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
"C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1920
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
  "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe" n2080
  2⤵
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2636
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe"
    3⤵
    PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Filesize
1KB

MD5
5050dfc1de9457c380804ea54d95eb96

SHA1
598f2d5997cc0bd0d5bcf49232d93be6876db913

SHA256
37659d4b3904b1ec1cf95165926116379293b4b0cd7730c81197109aa9af7ac0

SHA512
98860f03d6e694e1414d31ba7607349324ec63cb9f90831ec48a3fbd6694944c5ab49268d1bc2337092746fc34641e88a9a7df5cdc22bff2ebe88a9b3f9934ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d267c39612fd54d085e761c60d891dd

SHA1
96da0a2fce40dae7d9d833f21a7decd6a45b65f7

SHA256
eb881ad6c0c213df6933f572f1a406cf886151eb80c6a1a37ad8d47241a90717

SHA512
ed6a876faef3d2b50cdf735002950de3a79cf3b8c6f48daef46a298977dbde32dc0746d5c04c96e24e134bda8a4b7366be168ed69a08bf5e6acec13938dff448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F34.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FD3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit