Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe
Resource
win10v2004-20240226-en
General
-
Target
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe
-
Size
2.5MB
-
MD5
e49ba2b2c27a164cf3b652069fc984c2
-
SHA1
1a6c7d91286220e2c28a665f85633825ef578e95
-
SHA256
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c
-
SHA512
2c4336dc6e062483753d760c339fb4bd7e6e06dfc5b9b25d4b05885414a9b7a5b9c62931558c31f1f398862c111ad35c6389c1ee3af15af2d2cbc3db85ecc670
-
SSDEEP
49152:+L2K7HrOi1eIhFwRncwD0FnPYAEhd/KOw8QwsJM60lQYJnn3Ect76:wd7Hrhh2RcYonAJ6BM667nnRt
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THIS_FILE_CG8XMGC_.hta
cerber
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_IUO71_.txt
http://p27dokhpz2n7nvgr.onion/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.1hkjl3.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.16nxpn.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.133chr.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.17gvad.top/817D-34A8-6A64-0091-BDCF
http://p27dokhpz2n7nvgr.15yvce.top/817D-34A8-6A64-0091-BDCF
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1114) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2132 netsh.exe 2208 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Drops startup file 1 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Drops file in System32 directory 38 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exepid process 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Drops file in Program Files directory 20 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exedescription ioc process File opened for modification \??\c:\program files\ 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\ 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\bitcoin 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\program files (x86)\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Drops file in Windows directory 64 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\ 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2568 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1436 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe Token: SeCreatePagefilePrivilege 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe Token: SeDebugPrivilege 2568 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exepid process 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.execmd.exedescription pid process target process PID 2488 wrote to memory of 2132 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe netsh.exe PID 2488 wrote to memory of 2132 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe netsh.exe PID 2488 wrote to memory of 2132 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe netsh.exe PID 2488 wrote to memory of 2208 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe netsh.exe PID 2488 wrote to memory of 2208 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe netsh.exe PID 2488 wrote to memory of 2208 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe netsh.exe PID 2488 wrote to memory of 756 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe mshta.exe PID 2488 wrote to memory of 756 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe mshta.exe PID 2488 wrote to memory of 756 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe mshta.exe PID 2488 wrote to memory of 1436 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe NOTEPAD.EXE PID 2488 wrote to memory of 1436 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe NOTEPAD.EXE PID 2488 wrote to memory of 1436 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe NOTEPAD.EXE PID 2488 wrote to memory of 4656 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe cmd.exe PID 2488 wrote to memory of 4656 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe cmd.exe PID 2488 wrote to memory of 4656 2488 8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe cmd.exe PID 4656 wrote to memory of 2568 4656 cmd.exe taskkill.exe PID 4656 wrote to memory of 2568 4656 cmd.exe taskkill.exe PID 4656 wrote to memory of 2568 4656 cmd.exe taskkill.exe PID 4656 wrote to memory of 1596 4656 cmd.exe PING.EXE PID 4656 wrote to memory of 1596 4656 cmd.exe PING.EXE PID 4656 wrote to memory of 1596 4656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe"C:\Users\Admin\AppData\Local\Temp\8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_0M5TU_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_X9J6UES_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "8ae3fd7c63fdc8bd79ab0890edd553d701482b7e90910b0eaa7e32f28b867e5c.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THIS_FILE_CG8XMGC_.htaFilesize
75KB
MD50219489e1f7acd3321ff73d1abc3f122
SHA174581e957548f413b880c7f165ad788bcc7bd846
SHA256cd228868a22ef429ec5b3bf00b9f225232316d066082df9124cc6852ad88bb34
SHA5129e4bf70ea6b6c0f9491090d79cd87bd8dc49d6e34f175a98e9928d6bd5c3557a7819aed75065758f55a9f72c940a332bcce8ccf3075142e27c117f2f24588c57
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_IUO71_.txtFilesize
1KB
MD5f1054a83d57a5898deda860062a160ab
SHA1a3e2f823fd82ba301d97c6280e358d882d235528
SHA256fb76ea79a3ae792bb187bdd705d7b3aa048652d0599b9dda3990006224ea83f0
SHA512ef3b71ba7371b5a285ce400dfcadffeebc66f8b0e27e74ba47fa2dda104e39a5ebc2ec2589c843217be387568dd3b16dc85cbed090d146841408376bed8c5c3f
-
memory/2488-4-0x0000000001230000-0x0000000001231000-memory.dmpFilesize
4KB
-
memory/2488-9-0x000000007FA70000-0x000000007FE41000-memory.dmpFilesize
3.8MB
-
memory/2488-0-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-5-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-6-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-7-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-8-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-2-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-12-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-3-0x0000000001130000-0x0000000001131000-memory.dmpFilesize
4KB
-
memory/2488-1-0x000000007FA70000-0x000000007FE41000-memory.dmpFilesize
3.8MB
-
memory/2488-376-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-382-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-384-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB
-
memory/2488-385-0x0000000000400000-0x0000000000DEB000-memory.dmpFilesize
9.9MB