Resubmissions
16-03-2024 15:50
240316-s93d8aga69 10Analysis
-
max time kernel
1192s -
max time network
1073s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-04-2024 11:47
Static task
static1
Behavioral task
behavioral1
Sample
ce7104bc850c5a07a867cadb8f4bfa59.exe
Resource
win7-20231129-en
windows7-x64
15 signatures
1200 seconds
Behavioral task
behavioral2
Sample
ce7104bc850c5a07a867cadb8f4bfa59.exe
Resource
win10-20240404-en
windows10-1703-x64
24 signatures
1200 seconds
Behavioral task
behavioral3
Sample
ce7104bc850c5a07a867cadb8f4bfa59.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
19 signatures
1200 seconds
Behavioral task
behavioral4
Sample
ce7104bc850c5a07a867cadb8f4bfa59.exe
Resource
win11-20240412-en
windows11-21h2-x64
25 signatures
1200 seconds
General
-
Target
ce7104bc850c5a07a867cadb8f4bfa59.exe
-
Size
1.1MB
-
MD5
ce7104bc850c5a07a867cadb8f4bfa59
-
SHA1
ee1c80c04d2505bd0675e42317ce702c99a9c38e
-
SHA256
cd2bc2ceb0e1b7d7c31f7a2aec7e838d3a90767ed3d02e1720170875e4a23cb6
-
SHA512
74f84a2c6b73c8519d3ec6b36a996c0cfc4d956c234200ed0e69a262fd66c224fdcf694a13fb1aa9cbbe5880afd9641725fe8d380196214a479ef8dc29fdc73b
-
SSDEEP
24576:0HtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY03+C:0HtV7GwBSTc8An/4YJC
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2088-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-7-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-13-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-18-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-19-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-30-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-33-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-34-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-35-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-36-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-37-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-38-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-39-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-40-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-41-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-42-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-43-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-44-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-45-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-46-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-47-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-48-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-49-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-50-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-51-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-52-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-53-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-54-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-57-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-58-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-59-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-60-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-62-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-63-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-64-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-65-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-66-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-67-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-68-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-69-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-70-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2088-71-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" ce7104bc850c5a07a867cadb8f4bfa59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" ce7104bc850c5a07a867cadb8f4bfa59.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: ce7104bc850c5a07a867cadb8f4bfa59.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\A254C801A254C801.bmp" ce7104bc850c5a07a867cadb8f4bfa59.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-200.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60_altform-unplated.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_4.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.scale-125.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gp_60x42.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1d.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-150.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-125.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\vc_16x11.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7989_24x24x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4627_32x32x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-white.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-100.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-100.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-125.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\WideLogo.scale-150.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_background.jpg ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe81b.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-100.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_48x48x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_24x24x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-125.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7260_20x20x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_40x40x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1725_24x24x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1s.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bd_60x42.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.Views\Images\Loading.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-256.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-24.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-100.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gd_16x11.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-press.mobile.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-200.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-150.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-150.png ce7104bc850c5a07a867cadb8f4bfa59.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_20x20x32.png ce7104bc850c5a07a867cadb8f4bfa59.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2832 vssadmin.exe 2212 vssadmin.exe 4384 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065867241975" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000002a2b3292638eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000003ea22892638eda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000003631b1288a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 4048 vssvc.exe Token: SeRestorePrivilege 4048 vssvc.exe Token: SeAuditPrivilege 4048 vssvc.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1608 SearchUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2212 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 73 PID 2088 wrote to memory of 2212 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 73 PID 2088 wrote to memory of 4384 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 77 PID 2088 wrote to memory of 4384 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 77 PID 2088 wrote to memory of 2832 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 79 PID 2088 wrote to memory of 2832 2088 ce7104bc850c5a07a867cadb8f4bfa59.exe 79 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce7104bc850c5a07a867cadb8f4bfa59.exe"C:\Users\Admin\AppData\Local\Temp\ce7104bc850c5a07a867cadb8f4bfa59.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2212
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4384
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2832
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3412
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD5fe40e7c6f5a937f970b066d1a56f4760
SHA1bab863c0abcb744fadaccaceefdcce5fb2ff2f9a
SHA256af5e401f5e3f6a067174972dda24ef0c21276c5f6d66cb0d5a29ccc98b7e3f1a
SHA512f1b632e6b44523dda2f342435c07733d6498ff4a60d460fdb1e0e063a5d44077d2020bf1d506aa3b079600090a05cb00848eba6c2490fa2cb8c0de2cbc4d3a3a
-
Filesize
1024KB
MD5e544ef29d4e4376c11911870686d58ca
SHA16a3dd7b9a10af1e327b8fc36963711653f7323e1
SHA256e373e99d52bfab57972c46968612be66809782a05019fd5673685b33cf796204
SHA5127f71ab8a2bc57c1d460bfe88dc8f34e82ff310ccc083dd5d616b0480ada77a32b6d75f293c9186ad26d5b0951f7f9ef600a1f0fb0ec39557071281161012ba2f
-
Filesize
7KB
MD551c0c2b45d331d0170dabb8cf49f9723
SHA1132370bbb2defdb462899d910e1b6a924689c8c4
SHA2569cf0b2e5798e86716f3ca950e9f661a2ecdd3d210b1eab4d31de6bdcd224ead8
SHA512ddeac6e63a3e706a7c15a7e00a2e39df766c4e00b70cf4eb69ce5651e6cd65eb89597c1ccf2cffa2c5e4615d1a4a9cad518bae4681ae2aed48358a76b1eef76e
-
Filesize
1024KB
MD56ae36b6de5c5f1eeac5f49dc48641c04
SHA1f0b4e0f67da9a245423eea527cdeb3fa400538c0
SHA25658d96a1665603ea8aaa0b7833b99709c5e117602b2bbb9fe49cd86f3c98977a3
SHA512a4c302cefd2f8522482a64927fe3459e2c81e52b0019a1358a68e2cce5c5d8953d1743d38ad74729f943790946f7b8e7f51589fa3668d28b10aee4b80f7c5180
-
Filesize
1024KB
MD5894c08245c346af2d991b0bf6a59b69e
SHA16c5ff2e019b39c86aeea1f240b053a4603742423
SHA2564d2d7f821e7cdd4b72aae8e7ebc295550a34e9847e098ffbf8d91432b9e6a13d
SHA5125598e87cd6a2a62cad4433ab6b47a42589ed25ff275ddc535da3bff6b7b3e9654790c4866cb46f182192a44b66bf7e5cf3bfe37503c32480c4f48c9fb70a5fae
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
7KB
MD511d3d2d2147fc99d983b349e198eea0e
SHA1076df9e59d45d1d26f479ecd65fa5c2fd60a1dc4
SHA256fe87a65850d9a20cdc91b28b9a87a1e38bd4125a5ed44f3f62a11b56fd9c0ccd
SHA512dfd55cce79d5aaaca66aa220bf9ba8b426dc267e25cb8bf6d5b9991c2b7b8a5198e9d792c0a3fad76ffb6c4dbeb528d2d7ea1ddd472703faa7e2735b2d40ea78
-
Filesize
7KB
MD53a9b3ed0fc68ec49baf150b0734a9556
SHA14a4c09216a81379845d0859a363e06251891d61a
SHA256a4acb51cbbf28669a2ea7be4dd7b9e80988acb23de3208991f9dccd5464ebe6b
SHA512da8f13093cc94e969242bdd2347086d7312e8862e535aaea082e6da5d66846e9f3377c1ea9348d863586fbb1e7241210ffe1a14468f41efea66bac6b926c49e2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NZ8O90T\microsoft.windows[1].xml
Filesize97B
MD51b6e70bda2fbd5a1e1a5397fb89a1dc4
SHA126cf345af0ad604976230cc3c54c59534aca0a2f
SHA256500042553b63cf5a97ac73e3b3f668d07aa0f30857ba170a2cad07e6b4bff79d
SHA5128affce7ff812f3954eeb05bea7759d2cc898c89b29ab199f782f32b93291d389e53fb59c162bde080850084bfd954ccc1c505d339c01df0080038e5a2c4423ab
-
Filesize
2.6MB
MD5993cc909a89f0fb7fe90acc3703c2105
SHA1f422cdcb426718b235a19080b0daf71c9b448768
SHA2564aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8
SHA5125ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762
