34e1b92e38659dd6407c5065a3dd0cd8b791b182af5eaeb26b2a4573bc2177ea

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe
Size

345KB
MD5

060d41f75055ed0ffd43a408e6a5801e
SHA1

96a466c5dbc7e4a10257afb3bd8b790f965084d9
SHA256

34e1b92e38659dd6407c5065a3dd0cd8b791b182af5eaeb26b2a4573bc2177ea
SHA512

663cd0f6d73fd7a91a6b7058c201bfe8f6797c94b90f1690119ad7b80f560e8f913143ed8e46c8efcf5d1450aa4eb5b69a0ad1ffc2646fe86f53fc96ecb014ff
SSDEEP

6144:44oibXfchTduH5Gwqp5ASxhJq94C1ORG+v4igk72RC/kVp4uOebbkYCDG:NjbMQk5AOhJFGBmkVpvnkYz

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_gqslo.txt

Ransom Note

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D 2. http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D 3. https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: kb63vhjuk3wh4ex7.onion/C68DEB6FF2815B2D 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D Your personal page (using TOR): kb63vhjuk3wh4ex7.onion/C68DEB6FF2815B2D Your personal identification number (if you open the site (or TOR 's) directly): C68DEB6FF2815B2D

URLs

http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D

http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D

https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D

http://kb63vhjuk3wh4ex7.onion/C68DEB6FF2815B2D

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_gqslo.html

Ransom Note

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened  to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!. What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> 1.<a href="http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D" target="_blank">http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D</a> 2.<a href="http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D" target="_blank">http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D</a> 3.<a href="https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D" target="_blank">https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: kb63vhjuk3wh4ex7.onion/C68DEB6FF2815B2D 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;"> Your Personal PAGES: <a href="http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D" target="_blank">http://kwe2342fsd.rt546sdf234re.com/C68DEB6FF2815B2D</a> <a href="http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D" target="_blank">http://awoeinf832as.wo49i277rnw.com/C68DEB6FF2815B2D</a> <a href="https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D" target="_blank"> https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D</a> Your Personal PAGE (using TOR): kb63vhjuk3wh4ex7.onion/C68DEB6FF2815B2D Your personal code (if you open the site (or TOR 's) directly): C68DEB6FF2815B2D </div></div></center></body></html>

URLs

https://kb63vhjuk3wh4ex7.onion.to/C68DEB6FF2815B2D</a>

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (350) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gqslo.txt	vcwpdy.exe

Executes dropped EXE 1 IoCs

pid	Process
2108	vcwpdy.exe

Loads dropped DLL 1 IoCs

pid	Process
1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C:\\Users\\Admin\\AppData\\Roaming\\vcwpdy.exe"	vcwpdy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C"	vcwpdy.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png	vcwpdy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	vcwpdy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Journal\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js	vcwpdy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	vcwpdy.exe
File opened for modification	C:\Program Files\UnprotectTest.pptm	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	vcwpdy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\restore_files_gqslo.html	vcwpdy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\restore_files_gqslo.txt	vcwpdy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	vcwpdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\restore_files_gqslo.txt	vcwpdy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2668	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	vcwpdy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	vcwpdy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	vcwpdy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vcwpdy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vcwpdy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vcwpdy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe
2108	vcwpdy.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe
Token: SeDebugPrivilege	2108	vcwpdy.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2108	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	28
PID 1396 wrote to memory of 2108	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	28
PID 1396 wrote to memory of 2108	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	28
PID 1396 wrote to memory of 2108	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	28
PID 1396 wrote to memory of 2288	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	29
PID 1396 wrote to memory of 2288	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	29
PID 1396 wrote to memory of 2288	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	29
PID 1396 wrote to memory of 2288	1396	VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe	29
PID 2108 wrote to memory of 2668	2108	vcwpdy.exe	31
PID 2108 wrote to memory of 2668	2108	vcwpdy.exe	31
PID 2108 wrote to memory of 2668	2108	vcwpdy.exe	31
PID 2108 wrote to memory of 2668	2108	vcwpdy.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vcwpdy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vcwpdy.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_060d41f75055ed0ffd43a408e6a5801e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Roaming\vcwpdy.exe
  C:\Users\Admin\AppData\Roaming\vcwpdy.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2108
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_gqslo.html

Filesize
4KB

MD5
4c54ef41f34b8f7f18b3ad208d00b927

SHA1
299a0048481bf50a4462b25b8fbefcd73ef94b42

SHA256
363ba881d4fa1fccc05d91f12a23f52430aae0f1788a705217d684e858bbee6d

SHA512
748cf44ba798a3a2ec75dbf0f9b0acf943bdd2d3b761ec27c58b597a792c9156d8efa2a0838449574b6287afe4e453bee48fac2c28841925f16596d9a95b35be

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_gqslo.txt

Filesize
2KB

MD5
e26b60979f6f2c4f02dc76f7d5749db9

SHA1
fc70868b12d7d5aec9231b92e6cc89701c503322

SHA256
f784a4a6493755229620cfbcd3eab0f31f520dab37c84b304ec11461590d801c

SHA512
fea41514f253d5411701cb20aedf48114d6aa77f161f22a99aa2c79866c8a480bd5c09736d63a9e7dabab88172f417c9660223928e698338e7e0d3634b2bfcd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22b75f72198a902413942be3abf2325b

SHA1
71df514c1ec8039b275ef820abaf3154bbb19fe1

SHA256
6869e354f2f5a9a0b0b11d3b6601a760155315844de39f51666fce0217490aee

SHA512
4f82c2d55472dcd536681ded6d34f9efe231876d500191911cdb2d0932c273cad7a1db06ba40b473a9f303bc1e9b308338f587c89f0ffea64ff8415224fbab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7C9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF877.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Roaming\vcwpdy.exe

Filesize
345KB

MD5
060d41f75055ed0ffd43a408e6a5801e

SHA1
96a466c5dbc7e4a10257afb3bd8b790f965084d9

SHA256
34e1b92e38659dd6407c5065a3dd0cd8b791b182af5eaeb26b2a4573bc2177ea

SHA512
663cd0f6d73fd7a91a6b7058c201bfe8f6797c94b90f1690119ad7b80f560e8f913143ed8e46c8efcf5d1450aa4eb5b69a0ad1ffc2646fe86f53fc96ecb014ff

Download Submit
memory/1396-1-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1396-0-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1396-5-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1396-15-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-714-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-1926-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-568-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-345-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-17-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/2108-12-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-1521-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-674-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-1965-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-2071-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-2968-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-3375-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-3452-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-3523-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2108-3880-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download