441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
Size

235KB
MD5

fac89802b3db89ba74cf8891824af3d6
SHA1

27b57dfdc8b1b265e3755cc0068be846c4c4981e
SHA256

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061
SHA512

2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5
SSDEEP

3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: fdsbgz3Ni64477+GRkfIwvXExOmlgszS05/hgVf9+o7kcuXvygISrX/k87Jz/jmyMo1SwhmTH9gxxM4Utl5TzC8TAYfK2vHO7XBqfvBg5IogM2+AHXEchZiMWY5NoqgzF4qrEAye/qfeO7GqcfMnjfut3xPIQG/yIa/688I1/wM=

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\DECRYPTINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\!#_READ_ME_#!.inf\""	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1.bmp"	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

912 vssadmin.exe
2312 vssadmin.exe
2980 vssadmin.exe
1884 vssadmin.exe
1576 vssadmin.exe
2756 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2436 vssvc.exe
Token: SeRestorePrivilege 2436 vssvc.exe
Token: SeAuditPrivilege 2436 vssvc.exe

pid	process
912	vssadmin.exe
2312	vssadmin.exe
2980	vssadmin.exe
1884	vssadmin.exe
1576	vssadmin.exe
2756	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2832 wrote to memory of 2260	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2260	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2260	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2260	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2084	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2084	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2084	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2084	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2800	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2800	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2800	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2800	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2208	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2208	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2208	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2208	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2260 wrote to memory of 2312	2260	cmd.exe	vssadmin.exe
PID 2260 wrote to memory of 2312	2260	cmd.exe	vssadmin.exe
PID 2260 wrote to memory of 2312	2260	cmd.exe	vssadmin.exe
PID 2260 wrote to memory of 2312	2260	cmd.exe	vssadmin.exe
PID 2208 wrote to memory of 2980	2208	cmd.exe	vssadmin.exe
PID 2208 wrote to memory of 2980	2208	cmd.exe	vssadmin.exe
PID 2208 wrote to memory of 2980	2208	cmd.exe	vssadmin.exe
PID 2208 wrote to memory of 2980	2208	cmd.exe	vssadmin.exe
PID 2832 wrote to memory of 1984	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1984	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1984	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1984	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1484	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1484	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1484	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1484	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 1984 wrote to memory of 1884	1984	cmd.exe	vssadmin.exe
PID 1984 wrote to memory of 1884	1984	cmd.exe	vssadmin.exe
PID 1984 wrote to memory of 1884	1984	cmd.exe	vssadmin.exe
PID 1984 wrote to memory of 1884	1984	cmd.exe	vssadmin.exe
PID 2832 wrote to memory of 2248	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2248	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2248	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2248	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1564	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1564	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1564	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 1564	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	vssadmin.exe
PID 2832 wrote to memory of 2252	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2252	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2252	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2252	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 868	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 868	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 868	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 868	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 628	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 628	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 628	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 628	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2940	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2940	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2940	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe
PID 2832 wrote to memory of 2940	2832	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
"C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
PID:2252

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
PID:2940

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:912

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!#_READ_ME_#!.inf
2⤵
PID:1612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck
Filesize
16B

MD5
35436a31e111af53c435f119b5051312

SHA1
b81a584d3dcd21a5cdb5380bfdc00625d79f2f54

SHA256
b97a4607e5e490f6a12b18b83f97b0967dbf02601f3f53fc42606c408997c8f9

SHA512
292d71f9fc9566606ef1112c93fc639f5a2275bf67108f7bbc48b44de5461127c4d92d92519794a6a74b60a3bdd2dd72875b7344b3b2fb49d316b7bdd7dd40ae

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL
Filesize
14KB

MD5
bb63b37e19204a354fd421dc313ecb65

SHA1
c7737f3c3e81c430b11a20a6b5b3990e82dd290f

SHA256
738aac381d42ff71db5f2a63df0f4aa186f7be930dc30ff7dd7ff7f0bc526f8c

SHA512
bf38545b3c20d3d8ee8d915a688b23df92a1794d50fa00f6c6523244e90e641bbd7ab61a6748a2919ce5dd1a64548ebfdbb467840eae7da1b34450024d6e82f7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp
Filesize
48KB

MD5
6431795c31e5730ce99995849bf08dde

SHA1
675120e8e7a3252d6bd023f9e390d984cbbd3cfa

SHA256
00bcc1973b6d27098c2b64b7cfd5d2f4c0095f99f9132a402548cde7911cb650

SHA512
48761c8b26f049bb6c9021dc84224765b3a3e951b9431a45d3cbba3d2320592b7201f4019ebe3d6fdd71f24006101bdab73c26c0b960ce5f12386d6080d270b3

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
Filesize
140KB

MD5
9d0bf08f95e60fd9419c637d22aab3c8

SHA1
621a0c8b299c16f389bb1c1a8aab9066d500df51

SHA256
49a96682cdbc3ec8eb1558ee0e2877e45ec35cc7d7361feea3ffd47c114125a4

SHA512
7050859e3197397958fa8125a78f998f963425ddb9aa0f73dea3af733b9ac19ab31cfaefeec6c4e06f5cdce45e08edbffa3acda6548cff66db232ff2965376c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf
Filesize
1KB

MD5
8349660e1f70d33c1b203e0400e283d6

SHA1
405ceae0ac5724b413df9a62ffd4ea18c4e59bc0

SHA256
4716387dc192b3aa79ab3e7b61a4c22db4f36f394721b36164de90f32c964e46

SHA512
8e3506581865c5183494055bceacf7141cf23de15c42c7c11be2641d3386fc6c0363780572bb983518288f22caa014eeafa93f841ba47b5173598c272998615e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RD1C27.tmp
Filesize
16B

MD5
5e86f65f2d217e422d8c44f5db9dd005

SHA1
1d7d08f0becbe092b0ddf9b83c8d54aee985bf8e

SHA256
267a38d4573a5ac776339c619a9c7f9f8278ddc9c1d8ec7fe8a20763042e1c8e

SHA512
2c611bc9aedf3eb8910daa745bcf250e54435ccf7e66b9b644a81f23d4031404c602885b1ec09d238f7a6453640e4d7611ce26be42368aa622fc2e536c937f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2760_253052458\1030e621-58de-4335-b3c3-5fc4354d658b.tmp
Filesize
242KB

MD5
c6677a621784eda266239697b95633c6

SHA1
8f6bad35b4a7af0c91d08ec32c1018f41a928da9

SHA256
e7752fb7dbf46d91ebbfa456c4583c3560c723cf2373f6c17c790567265b3dee

SHA512
a70793a67ac205eab6b34cc96917b7baf2b2fa6060c75ff5486efa604c59b0a4f9bab9ec0289d19eebb6d79bd31b80b552751de5bd5fb2dc49f9166f51384167

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2760_551961066\656eef17-2f27-4a0d-8404-2660e764ceba.tmp
Filesize
88KB

MD5
e33d2fc2f6844b85bfbd7e131a4a50cc

SHA1
07d9c300cb259f51671b2de60cf594477dfc50a5

SHA256
72e3c390435a6086fa4381203aed25c40537de7c39bf41c47edbe770cec73612

SHA512
ee94d8c9cc654954c6796e770c907193c04db7230d430425ca5a2c3d3e242b0188145a2d2b5433ddfafe03cec981a1f9b6f550103b1046b595a176f0a7d836d1

Download Submit
C:\vcredist2010_x64.log.html
Filesize
86KB

MD5
f674b11e7ef1d7c2a453369ad7949e1e

SHA1
73db32568b7dedf2b38229680d8c760ed2e18a3b

SHA256
fa59c1d1d32eafd45f66a0ca745e492872784146d0815bf81786f7315f63094e

SHA512
014c0507d347a5e7f9c140a5fb18fc5ac83c79baa03a32ba62317ecbf3882ecf11adefbe3e8ad1d03e23943be69618c4e7fd5b9af7622bddcf83b507082937c1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads