Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/03/2024, 02:10
240324-clsbcaah7w 10Analysis
-
max time kernel
2699s -
max time network
2617s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/03/2024, 14:14
Behavioral task
behavioral1
Sample
5d4c5f3457c4487fe26df768ed8f3d2b.exe
Resource
win11-20240221-en
General
-
Target
5d4c5f3457c4487fe26df768ed8f3d2b.exe
-
Size
120KB
-
MD5
5d4c5f3457c4487fe26df768ed8f3d2b
-
SHA1
f5f3df7d11e06dc158ac8183a8bde5895f8ea251
-
SHA256
19c393a4787d325984d850d8f02db1f302819b808952f72c332251d5d95f7c32
-
SHA512
793b8917ad068b77bcc7d771a28069ac432cfb441438e1a1f159fe94cbb2aa550fb2cc47d7354e30275ce2df402774902c987ad9b9be900f3748281f13a30e9a
-
SSDEEP
3072:QoIcFr9LvJxaJ3e6ua0g0qcB2f/u80kcmU/C7eJBz4Jtu:dr9LvkbOqguxU6f4
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/3828-0-0x0000000000F80000-0x0000000000FA4000-memory.dmp family_chaos behavioral1/files/0x000700000002a701-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4816 bcdedit.exe 3756 bcdedit.exe -
pid Process 3424 wbadmin.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PrivateChat.url PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini PrivateChat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt PrivateChat.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.zc6l Taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\privatechat.url Taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\readme.txt Taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 3608 PrivateChat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Documents\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini PrivateChat.exe File opened for modification C:\Users\Public\Music\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini PrivateChat.exe File opened for modification C:\Users\Public\Desktop\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Searches\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Videos\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini PrivateChat.exe File opened for modification C:\Users\Public\Videos\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Links\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini PrivateChat.exe File opened for modification C:\Users\Public\Documents\desktop.ini PrivateChat.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3594324687-1993884830-4019639329-1000\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\Music\desktop.ini PrivateChat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini PrivateChat.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v0olehr6u.jpg" PrivateChat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2124 tasklist.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2412 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings PrivateChat.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3716 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3608 PrivateChat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 3608 PrivateChat.exe 5064 PowerShell.exe 5064 PowerShell.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2200 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeDebugPrivilege 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe Token: SeDebugPrivilege 3608 PrivateChat.exe Token: SeBackupPrivilege 3828 vssvc.exe Token: SeRestorePrivilege 3828 vssvc.exe Token: SeAuditPrivilege 3828 vssvc.exe Token: SeIncreaseQuotaPrivilege 5012 WMIC.exe Token: SeSecurityPrivilege 5012 WMIC.exe Token: SeTakeOwnershipPrivilege 5012 WMIC.exe Token: SeLoadDriverPrivilege 5012 WMIC.exe Token: SeSystemProfilePrivilege 5012 WMIC.exe Token: SeSystemtimePrivilege 5012 WMIC.exe Token: SeProfSingleProcessPrivilege 5012 WMIC.exe Token: SeIncBasePriorityPrivilege 5012 WMIC.exe Token: SeCreatePagefilePrivilege 5012 WMIC.exe Token: SeBackupPrivilege 5012 WMIC.exe Token: SeRestorePrivilege 5012 WMIC.exe Token: SeShutdownPrivilege 5012 WMIC.exe Token: SeDebugPrivilege 5012 WMIC.exe Token: SeSystemEnvironmentPrivilege 5012 WMIC.exe Token: SeRemoteShutdownPrivilege 5012 WMIC.exe Token: SeUndockPrivilege 5012 WMIC.exe Token: SeManageVolumePrivilege 5012 WMIC.exe Token: 33 5012 WMIC.exe Token: 34 5012 WMIC.exe Token: 35 5012 WMIC.exe Token: 36 5012 WMIC.exe Token: SeIncreaseQuotaPrivilege 5012 WMIC.exe Token: SeSecurityPrivilege 5012 WMIC.exe Token: SeTakeOwnershipPrivilege 5012 WMIC.exe Token: SeLoadDriverPrivilege 5012 WMIC.exe Token: SeSystemProfilePrivilege 5012 WMIC.exe Token: SeSystemtimePrivilege 5012 WMIC.exe Token: SeProfSingleProcessPrivilege 5012 WMIC.exe Token: SeIncBasePriorityPrivilege 5012 WMIC.exe Token: SeCreatePagefilePrivilege 5012 WMIC.exe Token: SeBackupPrivilege 5012 WMIC.exe Token: SeRestorePrivilege 5012 WMIC.exe Token: SeShutdownPrivilege 5012 WMIC.exe Token: SeDebugPrivilege 5012 WMIC.exe Token: SeSystemEnvironmentPrivilege 5012 WMIC.exe Token: SeRemoteShutdownPrivilege 5012 WMIC.exe Token: SeUndockPrivilege 5012 WMIC.exe Token: SeManageVolumePrivilege 5012 WMIC.exe Token: 33 5012 WMIC.exe Token: 34 5012 WMIC.exe Token: 35 5012 WMIC.exe Token: 36 5012 WMIC.exe Token: SeBackupPrivilege 4664 wbengine.exe Token: SeRestorePrivilege 4664 wbengine.exe Token: SeSecurityPrivilege 4664 wbengine.exe Token: SeDebugPrivilege 5064 PowerShell.exe Token: 33 1436 mmc.exe Token: SeIncBasePriorityPrivilege 1436 mmc.exe Token: 33 1436 mmc.exe Token: SeIncBasePriorityPrivilege 1436 mmc.exe Token: SeDebugPrivilege 2124 tasklist.exe Token: SeDebugPrivilege 2200 Taskmgr.exe Token: SeSystemProfilePrivilege 2200 Taskmgr.exe Token: SeCreateGlobalPrivilege 2200 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe 2200 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3472 MiniSearchHost.exe 1436 mmc.exe 1436 mmc.exe 1436 mmc.exe 1436 mmc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3828 wrote to memory of 3608 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 78 PID 3828 wrote to memory of 3608 3828 5d4c5f3457c4487fe26df768ed8f3d2b.exe 78 PID 3608 wrote to memory of 4568 3608 PrivateChat.exe 80 PID 3608 wrote to memory of 4568 3608 PrivateChat.exe 80 PID 4568 wrote to memory of 2412 4568 cmd.exe 82 PID 4568 wrote to memory of 2412 4568 cmd.exe 82 PID 4568 wrote to memory of 5012 4568 cmd.exe 85 PID 4568 wrote to memory of 5012 4568 cmd.exe 85 PID 3608 wrote to memory of 2000 3608 PrivateChat.exe 87 PID 3608 wrote to memory of 2000 3608 PrivateChat.exe 87 PID 2000 wrote to memory of 4816 2000 cmd.exe 89 PID 2000 wrote to memory of 4816 2000 cmd.exe 89 PID 2000 wrote to memory of 3756 2000 cmd.exe 90 PID 2000 wrote to memory of 3756 2000 cmd.exe 90 PID 3608 wrote to memory of 4984 3608 PrivateChat.exe 91 PID 3608 wrote to memory of 4984 3608 PrivateChat.exe 91 PID 4984 wrote to memory of 3424 4984 cmd.exe 93 PID 4984 wrote to memory of 3424 4984 cmd.exe 93 PID 3608 wrote to memory of 3716 3608 PrivateChat.exe 97 PID 3608 wrote to memory of 3716 3608 PrivateChat.exe 97 PID 5064 wrote to memory of 1436 5064 PowerShell.exe 104 PID 5064 wrote to memory of 1436 5064 PowerShell.exe 104 PID 5064 wrote to memory of 2124 5064 PowerShell.exe 107 PID 5064 wrote to memory of 2124 5064 PowerShell.exe 107 PID 5064 wrote to memory of 2200 5064 PowerShell.exe 109 PID 5064 wrote to memory of 2200 5064 PowerShell.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d4c5f3457c4487fe26df768ed8f3d2b.exe"C:\Users\Admin\AppData\Local\Temp\5d4c5f3457c4487fe26df768ed8f3d2b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Roaming\PrivateChat.exe"C:\Users\Admin\AppData\Roaming\PrivateChat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2412
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4816
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3424
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3716
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4700
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3472
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
C:\Windows\system32\tasklist.exe"C:\Windows\system32\tasklist.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"2⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b0f69fad7f304f5fae415dd9ad4e3689 /t 444 /p 14361⤵PID:4560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize9KB
MD504ae99393d56cad2873b023e1b0bea9b
SHA1b71e980122b44db1f70954ce7433aee384073931
SHA2563d63b7009ea36d1110014086573bad5b805ecadde714062d084f56903d816643
SHA5121d4c929bcd8b16d00dec95c296821a72013a158cf0e05c8aaca1122e730c0414bb88561b2a4982773e63bebb03e18885e1b7f063112e341d819c72756b5ac02c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
150B
MD5a20fdb4c03ee3e73c9d0b0659c6e1ee8
SHA1cab42c1c187c3d5e440b181be78426e8c9d8d5f6
SHA256f4a981301daecd9500e23fff4e7a5bff9657fb9566d958dbf04f59a46e47848b
SHA5124d2775c17f077e92d4702143fe9d931bf2b4a1adc5cdbe4735d3e8d262bc93d9da691134a4dcc93afa08d2baebd576c476b2e49e0325a9934ba373c6f15f929c
-
Filesize
436B
MD5fb252ba7ea2d4bc1ff70145e163b5499
SHA112ec7ad0d84299617aca6bd9a20c625afd3e47c7
SHA2569cd1cb23187412684ac372a804498c9c9090342935d368b9f8b5eba16c8121eb
SHA5120ad48058b76d1f1a2b6fef11d5a826a7f3afa4a20228a21adf0e264ef9e02f9cc2c4096e921b2c2cd3eebbe02c80fafa73f4b115391eb3d809c45dbd1d372b9f
-
Filesize
120KB
MD55d4c5f3457c4487fe26df768ed8f3d2b
SHA1f5f3df7d11e06dc158ac8183a8bde5895f8ea251
SHA25619c393a4787d325984d850d8f02db1f302819b808952f72c332251d5d95f7c32
SHA512793b8917ad068b77bcc7d771a28069ac432cfb441438e1a1f159fe94cbb2aa550fb2cc47d7354e30275ce2df402774902c987ad9b9be900f3748281f13a30e9a
-
Filesize
366B
MD5a9739643e50a5d9ca0f162feb7846dd5
SHA1d10c5feedd35fd2a24cd1266014ae8adaad22fd3
SHA256e611bd6ae4702f7496dda7ae78a5df097d1e6858c7fa38b3b9b7140379f7d51c
SHA512cb5e3943ccce39f10a899a4900952b702601840a2e6dd8e385ebed1e4e7b041f8440dd7dde229c5d28cf82f380b17f498a3e6cb8426d984b71a4115de3df9552