Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 19:17
Behavioral task
behavioral1
Sample
cc3652c078fa2bdfbbfae33335c30bda.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc3652c078fa2bdfbbfae33335c30bda.exe
Resource
win10v2004-20240226-en
General
-
Target
cc3652c078fa2bdfbbfae33335c30bda.exe
-
Size
1.2MB
-
MD5
cc3652c078fa2bdfbbfae33335c30bda
-
SHA1
b3d3ad0c2c9d526717f55c431d51c2f1e957325b
-
SHA256
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad
-
SHA512
d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d
-
SSDEEP
12288:QKMzISi3LAStu+KxSgNrc+YCiYKjqxJUZGhEzXMOalwmtnvXigwwdAnIK4RHLrog:vMsSibWXpNrcVEnvXigwwdAIK4R/W3
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\cs-CZ\!!!HOW_TO_DECRYPT!!!.mht
[email protected]<BR>[email protected]<BR>In
http-equiv=3D"X
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3508 bcdedit.exe 3048 bcdedit.exe -
Renames multiple (624) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3216 wbadmin.exe 1448 wbadmin.exe -
Drops file in Drivers directory 13 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\protocol.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\networks.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\protocol cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\services cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\networks cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\services.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation cc3652c078fa2bdfbbfae33335c30bda.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3652c078fa2bdfbbfae33335c30bda.exe\" e" cc3652c078fa2bdfbbfae33335c30bda.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini cc3652c078fa2bdfbbfae33335c30bda.exe -
Enumerates connected drives 3 TTPs 39 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\J: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\K: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\R: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\H: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\N: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\O: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\P: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\A: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\I: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\T: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\Y: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\D: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\E: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\Z: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\S: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\L: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\M: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\Q: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\V: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\F: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\G: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\X: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\U: cc3652c078fa2bdfbbfae33335c30bda.exe File opened (read-only) \??\W: cc3652c078fa2bdfbbfae33335c30bda.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\BBI cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\DRIVERS.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\SOFTWARE cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\COMPONENTS cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\SYSTEM cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\ResPriHMImageList cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\BCD-Template.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\874b137a-79d5-4454-aeb9-76de170a07cb.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\DRIVERS cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\ELAM.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\3fe2fbcd-ca12-431b-9836-7f8f73fe6c57 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\36dec4cf-0e45-4531-a00a-fd46059bae3e cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\ResPriHMImageListLowCost cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\ResPriImageList cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\SECURITY cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\874b137a-79d5-4454-aeb9-76de170a07cb.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\36dec4cf-0e45-4531-a00a-fd46059bae3e.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.gpay cc3652c078fa2bdfbbfae33335c30bda.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\SourceHash{E016F2B9-01FE-4FAA-882E-ECC43FA49751}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8a5f3b39-6e68-4fc5-bbb1-a0dd77d899e9 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{77924AE4-039E-4CA4-87B4-2F64180381F0} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{3A706840-2882-423C-90EB-B31545E2BC7A}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Boot\PCAT\bootnxt cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8a5f3b39-6e68-4fc5-bbb1-a0dd77d899e9.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{3A706840-2882-423C-90EB-B31545E2BC7A}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{76DEEAB3-122F-4231-83C7-0C35363D02F9}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\AppReadiness\S-1-5-21-275798769-4264537674-1142822080-1000 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{AE86D888-1404-47CC-A7BB-8D86C0503E58} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52 cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File created C:\Windows\AppReadiness\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{76DEEAB3-122F-4231-83C7-0C35363D02F9} cc3652c078fa2bdfbbfae33335c30bda.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{113C0ADC-B9BD-4F95-9653-4F5BC540ED03} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Panther\setupinfo.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}.gpay cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.inprocess cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} cc3652c078fa2bdfbbfae33335c30bda.exe File opened for modification C:\Windows\Installer\SourceHash{D44822A8-FC28-42FC-8B1D-21A78579FC79} cc3652c078fa2bdfbbfae33335c30bda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 688 vssadmin.exe 1812 vssadmin.exe 1096 vssadmin.exe 2616 vssadmin.exe 4380 vssadmin.exe 2316 vssadmin.exe 3692 vssadmin.exe 4636 vssadmin.exe 2284 vssadmin.exe 812 vssadmin.exe 2972 vssadmin.exe 952 vssadmin.exe 220 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 2392 cc3652c078fa2bdfbbfae33335c30bda.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeBackupPrivilege 4764 vssvc.exe Token: SeRestorePrivilege 4764 vssvc.exe Token: SeAuditPrivilege 4764 vssvc.exe Token: SeIncreaseQuotaPrivilege 1732 wmic.exe Token: SeSecurityPrivilege 1732 wmic.exe Token: SeTakeOwnershipPrivilege 1732 wmic.exe Token: SeLoadDriverPrivilege 1732 wmic.exe Token: SeSystemProfilePrivilege 1732 wmic.exe Token: SeSystemtimePrivilege 1732 wmic.exe Token: SeProfSingleProcessPrivilege 1732 wmic.exe Token: SeIncBasePriorityPrivilege 1732 wmic.exe Token: SeCreatePagefilePrivilege 1732 wmic.exe Token: SeBackupPrivilege 1732 wmic.exe Token: SeRestorePrivilege 1732 wmic.exe Token: SeShutdownPrivilege 1732 wmic.exe Token: SeDebugPrivilege 1732 wmic.exe Token: SeSystemEnvironmentPrivilege 1732 wmic.exe Token: SeRemoteShutdownPrivilege 1732 wmic.exe Token: SeUndockPrivilege 1732 wmic.exe Token: SeManageVolumePrivilege 1732 wmic.exe Token: 33 1732 wmic.exe Token: 34 1732 wmic.exe Token: 35 1732 wmic.exe Token: 36 1732 wmic.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2316 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 89 PID 2392 wrote to memory of 2316 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 89 PID 2392 wrote to memory of 688 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 94 PID 2392 wrote to memory of 688 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 94 PID 2392 wrote to memory of 1812 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 96 PID 2392 wrote to memory of 1812 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 96 PID 2392 wrote to memory of 2284 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 98 PID 2392 wrote to memory of 2284 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 98 PID 2392 wrote to memory of 952 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 100 PID 2392 wrote to memory of 952 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 100 PID 2392 wrote to memory of 1096 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 102 PID 2392 wrote to memory of 1096 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 102 PID 2392 wrote to memory of 3692 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 104 PID 2392 wrote to memory of 3692 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 104 PID 2392 wrote to memory of 2616 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 106 PID 2392 wrote to memory of 2616 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 106 PID 2392 wrote to memory of 4636 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 108 PID 2392 wrote to memory of 4636 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 108 PID 2392 wrote to memory of 220 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 110 PID 2392 wrote to memory of 220 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 110 PID 2392 wrote to memory of 4380 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 113 PID 2392 wrote to memory of 4380 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 113 PID 2392 wrote to memory of 812 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 115 PID 2392 wrote to memory of 812 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 115 PID 2392 wrote to memory of 2972 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 117 PID 2392 wrote to memory of 2972 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 117 PID 2392 wrote to memory of 3508 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 119 PID 2392 wrote to memory of 3508 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 119 PID 2392 wrote to memory of 3048 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 121 PID 2392 wrote to memory of 3048 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 121 PID 2392 wrote to memory of 3216 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 123 PID 2392 wrote to memory of 3216 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 123 PID 2392 wrote to memory of 1448 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 125 PID 2392 wrote to memory of 1448 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 125 PID 2392 wrote to memory of 1732 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 127 PID 2392 wrote to memory of 1732 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 127 PID 2392 wrote to memory of 2476 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 138 PID 2392 wrote to memory of 2476 2392 cc3652c078fa2bdfbbfae33335c30bda.exe 138 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cc3652c078fa2bdfbbfae33335c30bda.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda.exe"C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2316
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:688
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1812
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2284
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:952
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1096
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3692
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2616
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4636
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:220
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4380
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:812
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2972
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:3508
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3048
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:3216
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1448
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC3652~1.EXE >> NUL2⤵PID:2476
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay
Filesize850B
MD578779818b95f1b220fbd0888d08ccfec
SHA11a3839e110dc31063696970d3e017ed0a21665bd
SHA2565ecf0da8f8a50e4b638b84110a643e160b531c8fe1d7af0b8d04a276d5cc9362
SHA5124cd0ee045c28044bc3b2fc5cfcd7686f5047a78033de1b8d303ce31dbfe799b41014f909343a472610f2eeb03d1df8566bf9ba28b65cdeb3c25bd8cea6d94293
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay
Filesize842B
MD568d29d055340e302f35bd82d212021c8
SHA15662d309aaa945cea219c7a71474bd5e74f0ac35
SHA256924fdeeefdffba5821d1ebce5ebd5987a8d8d43c53ecd74de8f08d105d957c32
SHA5122a2d336408f59167c8fd73ab805b0fa8367f24b2738493964778059e0fc7d14e90b8dc8651516f13e8f18014264cb483e3cdbc3eae2592ffc7688114e69c6c94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.gpay
Filesize700B
MD532faadc8be68d71a2d201c9d15531bc8
SHA1ea348e7bdcc8b5718a504e360f8a1cc7cccf3864
SHA25630137b7cdc17c11eb79c55cf31b1a7e2a8823ebc4234aab0f1002847fe8ad628
SHA512486e6a3784e631979e8bc9d74886a6157fff26f40d167642247870d96e46a880eee0326f24546fdeb530ec4d7afc10fd2f8efa3e21f69589d4f7a837d9c781ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.gpay
Filesize770B
MD5345921bc2030930f4167702f820c10c2
SHA1f60fa1838251f3e46789f86bc21b35c75bd84bfd
SHA25632f0ff29847766d45fe5f56958c8dc69e2b81625a5f9f12d572037023d12e522
SHA51235bd362798e725e2a8e572da78a91d88d8dfb4cd93919da2989edda793c5b65378103e66b9a294d5156dfd7005c1242f6a50b30bc4ae12b150b2ea248acd2a98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay
Filesize802B
MD542663cb50d325da1d9bb3657c3e7f59f
SHA12e037802dd3be0d688abd6d3a596412cf409a22e
SHA2560f21a3eaa8827750bdbe4d40171fa5164328b2426fe2b468645ba8b6b10101bd
SHA51248c038db319a97b20d8890b4d75434f9a6f3d64c054225e8cf621e6ce15d57dbe73ae9930c424c41aaabec37b07d9d8be794cb0e1c2445a85d4d00b7ee3d6004
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.gpay
Filesize782B
MD5d0b39da9eafb984138251b8d367679cd
SHA1bad73230f3d333b2fe8e86bb0acea320bdace7ec
SHA2564e5ac14a78240e92aa3577524f10fcf2b482402d5576cf3ddc8979947b4c58f1
SHA51216281284b02adac16a605db9bde148259ffd98db9b6225c812e15811579309351ea169e79b4bbbb6601535b5db99d9806a8f9fc8dcf2018e004485a71d3243d5
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize850B
MD540bfb50e2742c10d2ef8bba691c58880
SHA1dfbef1386f0845962b1ea59be8870a5ee4bd9082
SHA256a541696eb68e2ddc437b2066afe2f7253871f397f1d826babcaea61ebee88eee
SHA512269a533f7a22cd8fc5910586039d00add272b7395d6e8fe1a204a1c4d6728fe8106e57ba444154a4012b425da91b0dfa3574f6cb0de551486973739aaae2e6c6
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay
Filesize802B
MD5198c82704047feaaafeb88c1f5e82936
SHA1e9a8f11adc7a16ec489d6feaad362411159fe77f
SHA256b00b3a0c6ece91a0bc9c6c0c75462a7f2af18a9125b56e75ff3fc56396ecdef8
SHA512e800b0aa36277ad42f4923f738ce4e52ee9878d93477af164b6f5553e2472933605fdbe621cf1cfe87c28e7fa66f937b89abe37a2cfeec5db88cb06d8b4d891d
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay
Filesize802B
MD57e88f7e6d8686f46d0d03282b35bdcbb
SHA12bfaeafec4eb27d622e5ea9c51424a050d3738e1
SHA256caa5df5b5f249c3629f156ad12967576b0d1f1326bd83685f30a006428e452a6
SHA5124909a0161e2a90b4b6340320ea0462648212f047c1f7875dd154bffc81a9a44693f8deabf47d152717c53e4b5b729bcc84661a5bc54c9eb1ae3619b41642ccfe
-
Filesize
4KB
MD5d550cc7e69effa9d0a0f45b05096c206
SHA10b25906bc035c00062d50f99fa85be9618a4e86c
SHA256d8f40de9fd20fa3a64fc53db598b9ce1ea70a9f5955c2192d917c1c585687a5a
SHA512287f0aaa55c92e1ae9705dc09239003a8cfd43bd1809c603102e5e86de4f8dfea3fbdb3ca3c7c6bfd6b1bdf02714208c56415041a23663ee3cfe7ddc533fb2ae