Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 07:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
mimicransomware_infected.exe
Resource
win7-20231129-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
mimicransomware_infected.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
mimicransomware_infected.exe
-
Size
23.2MB
-
MD5
aabdecc74290221f555bc6400ceef5c6
-
SHA1
6bf8559dfd409bee873f4e147f31ce313d23f2bc
-
SHA256
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
-
SHA512
880d741faf049b9276c4ab10e6e3a0817ef28cb05f0e00fa3edf814ebf545d3d316dfac022fcff4b8fee9f95e18542e2cf7e89f02702e30409409f40a5fb6bbe
-
SSDEEP
393216:+/NvciCzO7XohRMU0K611YKvcg7dSVqMXDVZm/3hL1/VYs0tvj1Q3QJrSZ0aP54d:+1ciC6ohRMPK6gKzRctVZmf//VYRtvjR
Score
10/10
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000800000002341d-24.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" encrypt.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4604 bcdedit.exe 4232 bcdedit.exe -
Renames multiple (5124) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2040 wbadmin.exe -
pid Process 1184 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemExplorer.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemExplorer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation mimicransomware_infected.exe -
Executes dropped EXE 8 IoCs
pid Process 4044 encrypt.exe 2164 encrypt.exe 5008 encrypt.exe 1200 encrypt.exe 772 encrypt.exe 4408 Everything.exe 2356 Everything.exe 4988 sdel64.exe -
Loads dropped DLL 5 IoCs
pid Process 4044 encrypt.exe 2164 encrypt.exe 5008 encrypt.exe 1200 encrypt.exe 772 encrypt.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command encrypt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" -e all -sd -crc " encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: encrypt.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\M: encrypt.exe File opened (read-only) \??\P: encrypt.exe File opened (read-only) \??\T: encrypt.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\Y: encrypt.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\E: encrypt.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\G: encrypt.exe File opened (read-only) \??\K: encrypt.exe File opened (read-only) \??\U: encrypt.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\S: encrypt.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\A: encrypt.exe File opened (read-only) \??\L: encrypt.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\B: encrypt.exe File opened (read-only) \??\H: encrypt.exe File opened (read-only) \??\R: encrypt.exe File opened (read-only) \??\V: encrypt.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\N: encrypt.exe File opened (read-only) \??\Q: encrypt.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\I: encrypt.exe File opened (read-only) \??\W: encrypt.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\X: encrypt.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\I: Everything.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pl_135x40.svg.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files\Java\jre-1.8\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] encrypt.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] encrypt.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] encrypt.exe File opened for modification C:\Program Files\Mozilla Firefox\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\[email protected] encrypt.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\[email protected] encrypt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\.com encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "mimicfile" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile encrypt.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4476 notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1200 encrypt.exe 1200 encrypt.exe 772 encrypt.exe 772 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 2164 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe 1200 encrypt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4044 encrypt.exe Token: SeSecurityPrivilege 4044 encrypt.exe Token: SeTakeOwnershipPrivilege 4044 encrypt.exe Token: SeLoadDriverPrivilege 4044 encrypt.exe Token: SeSystemProfilePrivilege 4044 encrypt.exe Token: SeSystemtimePrivilege 4044 encrypt.exe Token: SeProfSingleProcessPrivilege 4044 encrypt.exe Token: SeIncBasePriorityPrivilege 4044 encrypt.exe Token: SeCreatePagefilePrivilege 4044 encrypt.exe Token: SeBackupPrivilege 4044 encrypt.exe Token: SeRestorePrivilege 4044 encrypt.exe Token: SeShutdownPrivilege 4044 encrypt.exe Token: SeDebugPrivilege 4044 encrypt.exe Token: SeSystemEnvironmentPrivilege 4044 encrypt.exe Token: SeChangeNotifyPrivilege 4044 encrypt.exe Token: SeRemoteShutdownPrivilege 4044 encrypt.exe Token: SeUndockPrivilege 4044 encrypt.exe Token: SeManageVolumePrivilege 4044 encrypt.exe Token: SeImpersonatePrivilege 4044 encrypt.exe Token: SeCreateGlobalPrivilege 4044 encrypt.exe Token: 33 4044 encrypt.exe Token: 34 4044 encrypt.exe Token: 35 4044 encrypt.exe Token: 36 4044 encrypt.exe Token: SeIncreaseQuotaPrivilege 2164 encrypt.exe Token: SeSecurityPrivilege 2164 encrypt.exe Token: SeTakeOwnershipPrivilege 2164 encrypt.exe Token: SeLoadDriverPrivilege 2164 encrypt.exe Token: SeSystemProfilePrivilege 2164 encrypt.exe Token: SeSystemtimePrivilege 2164 encrypt.exe Token: SeProfSingleProcessPrivilege 2164 encrypt.exe Token: SeIncBasePriorityPrivilege 2164 encrypt.exe Token: SeCreatePagefilePrivilege 2164 encrypt.exe Token: SeBackupPrivilege 2164 encrypt.exe Token: SeRestorePrivilege 2164 encrypt.exe Token: SeShutdownPrivilege 2164 encrypt.exe Token: SeDebugPrivilege 2164 encrypt.exe Token: SeSystemEnvironmentPrivilege 2164 encrypt.exe Token: SeChangeNotifyPrivilege 2164 encrypt.exe Token: SeRemoteShutdownPrivilege 2164 encrypt.exe Token: SeUndockPrivilege 2164 encrypt.exe Token: SeManageVolumePrivilege 2164 encrypt.exe Token: SeImpersonatePrivilege 2164 encrypt.exe Token: SeCreateGlobalPrivilege 2164 encrypt.exe Token: 33 2164 encrypt.exe Token: 34 2164 encrypt.exe Token: 35 2164 encrypt.exe Token: 36 2164 encrypt.exe Token: SeIncreaseQuotaPrivilege 5008 encrypt.exe Token: SeSecurityPrivilege 5008 encrypt.exe Token: SeIncreaseQuotaPrivilege 1200 encrypt.exe Token: SeTakeOwnershipPrivilege 5008 encrypt.exe Token: SeSecurityPrivilege 1200 encrypt.exe Token: SeLoadDriverPrivilege 5008 encrypt.exe Token: SeTakeOwnershipPrivilege 1200 encrypt.exe Token: SeSystemProfilePrivilege 5008 encrypt.exe Token: SeLoadDriverPrivilege 1200 encrypt.exe Token: SeSystemtimePrivilege 5008 encrypt.exe Token: SeSystemProfilePrivilege 1200 encrypt.exe Token: SeProfSingleProcessPrivilege 5008 encrypt.exe Token: SeSystemtimePrivilege 1200 encrypt.exe Token: SeIncBasePriorityPrivilege 5008 encrypt.exe Token: SeProfSingleProcessPrivilege 1200 encrypt.exe Token: SeCreatePagefilePrivilege 5008 encrypt.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4408 Everything.exe 4484 StartMenuExperienceHost.exe 2356 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3216 wrote to memory of 4044 3216 mimicransomware_infected.exe 84 PID 3216 wrote to memory of 4044 3216 mimicransomware_infected.exe 84 PID 3216 wrote to memory of 4044 3216 mimicransomware_infected.exe 84 PID 4044 wrote to memory of 2164 4044 encrypt.exe 86 PID 4044 wrote to memory of 2164 4044 encrypt.exe 86 PID 4044 wrote to memory of 2164 4044 encrypt.exe 86 PID 2164 wrote to memory of 5008 2164 encrypt.exe 87 PID 2164 wrote to memory of 5008 2164 encrypt.exe 87 PID 2164 wrote to memory of 5008 2164 encrypt.exe 87 PID 2164 wrote to memory of 1200 2164 encrypt.exe 88 PID 2164 wrote to memory of 1200 2164 encrypt.exe 88 PID 2164 wrote to memory of 1200 2164 encrypt.exe 88 PID 2164 wrote to memory of 772 2164 encrypt.exe 89 PID 2164 wrote to memory of 772 2164 encrypt.exe 89 PID 2164 wrote to memory of 772 2164 encrypt.exe 89 PID 2164 wrote to memory of 4408 2164 encrypt.exe 90 PID 2164 wrote to memory of 4408 2164 encrypt.exe 90 PID 2164 wrote to memory of 4408 2164 encrypt.exe 90 PID 2164 wrote to memory of 2808 2164 encrypt.exe 106 PID 2164 wrote to memory of 2808 2164 encrypt.exe 106 PID 2164 wrote to memory of 1048 2164 encrypt.exe 107 PID 2164 wrote to memory of 1048 2164 encrypt.exe 107 PID 2164 wrote to memory of 1232 2164 encrypt.exe 108 PID 2164 wrote to memory of 1232 2164 encrypt.exe 108 PID 2164 wrote to memory of 4864 2164 encrypt.exe 110 PID 2164 wrote to memory of 4864 2164 encrypt.exe 110 PID 2164 wrote to memory of 2548 2164 encrypt.exe 111 PID 2164 wrote to memory of 2548 2164 encrypt.exe 111 PID 2164 wrote to memory of 3524 2164 encrypt.exe 113 PID 2164 wrote to memory of 3524 2164 encrypt.exe 113 PID 2164 wrote to memory of 4296 2164 encrypt.exe 114 PID 2164 wrote to memory of 4296 2164 encrypt.exe 114 PID 2164 wrote to memory of 4488 2164 encrypt.exe 116 PID 2164 wrote to memory of 4488 2164 encrypt.exe 116 PID 2164 wrote to memory of 3584 2164 encrypt.exe 117 PID 2164 wrote to memory of 3584 2164 encrypt.exe 117 PID 2164 wrote to memory of 1608 2164 encrypt.exe 118 PID 2164 wrote to memory of 1608 2164 encrypt.exe 118 PID 2164 wrote to memory of 628 2164 encrypt.exe 119 PID 2164 wrote to memory of 628 2164 encrypt.exe 119 PID 2164 wrote to memory of 1016 2164 encrypt.exe 120 PID 2164 wrote to memory of 1016 2164 encrypt.exe 120 PID 2164 wrote to memory of 1412 2164 encrypt.exe 121 PID 2164 wrote to memory of 1412 2164 encrypt.exe 121 PID 2164 wrote to memory of 4964 2164 encrypt.exe 122 PID 2164 wrote to memory of 4964 2164 encrypt.exe 122 PID 2164 wrote to memory of 3884 2164 encrypt.exe 123 PID 2164 wrote to memory of 3884 2164 encrypt.exe 123 PID 2164 wrote to memory of 4604 2164 encrypt.exe 144 PID 2164 wrote to memory of 4604 2164 encrypt.exe 144 PID 2164 wrote to memory of 4232 2164 encrypt.exe 145 PID 2164 wrote to memory of 4232 2164 encrypt.exe 145 PID 2164 wrote to memory of 2040 2164 encrypt.exe 146 PID 2164 wrote to memory of 2040 2164 encrypt.exe 146 PID 2164 wrote to memory of 1184 2164 encrypt.exe 148 PID 2164 wrote to memory of 1184 2164 encrypt.exe 148 PID 2164 wrote to memory of 2356 2164 encrypt.exe 157 PID 2164 wrote to memory of 2356 2164 encrypt.exe 157 PID 2164 wrote to memory of 2356 2164 encrypt.exe 157 PID 2164 wrote to memory of 4476 2164 encrypt.exe 158 PID 2164 wrote to memory of 4476 2164 encrypt.exe 158 PID 2164 wrote to memory of 4476 2164 encrypt.exe 158 PID 2164 wrote to memory of 4988 2164 encrypt.exe 159 PID 2164 wrote to memory of 4988 2164 encrypt.exe 159 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" encrypt.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer encrypt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mimicransomware_infected.exe"C:\Users\Admin\AppData\Local\Temp\mimicransomware_infected.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\tempenc\encrypt.exe"C:\tempenc\encrypt.exe" -e all -sd -crc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e all -sd -crc3⤵
- Modifies security service
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 2164 -! -e all -sd -crc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:772
-
-
C:\Users\Admin\AppData\Local\encrypt\Everything.exe"C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵PID:2808
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1048
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1232
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4864
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2548
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3524
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4296
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4488
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3584
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1608
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:628
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1016
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1412
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:4964
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:3884
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4604
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4232
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2040
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:1184
-
-
C:\Users\Admin\AppData\Local\encrypt\Everything.exe"C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"4⤵
- Opens file in notepad (likely ransom note)
PID:4476
-
-
C:\Users\Admin\AppData\Local\encrypt\sdel64.exe"C:\Users\Admin\AppData\Local\encrypt\sdel64.exe" -accepteula -p 3 -c C:\4⤵
- Executes dropped EXE
PID:4988
-
-
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3112
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4816
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3828
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4948
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4184
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2152
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1176
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3076
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2356
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4484
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5108
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5092
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:776
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:4092
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3768
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD55fe801d5e1efde008cc496fac9f42083
SHA1041ec9e6d7fe2992946589f3dc97a494fd20cb29
SHA256bd56989258566053aa50a63db925fdd445ae6d6fe0814bac133961ee310fcdcf
SHA512af7549b09c7b62170fcdeca20f87898a40b2b666580dc6e892d2fbb2e6fc4326f3e4f9168b6a7f2be11b10725ade5965233c7dcd8378d9a5dc7b28da2793f1b0
-
Filesize
3KB
MD5308fbc3d2c72fc7b378e958d78e25c44
SHA13945e5c865b39712465f5ac5dc5d8649bb5be715
SHA2563ade7cd7b360186c48db82643e2d3b70328bb6566a5d61a7b2b8bbd186498b89
SHA512cd15bb363f28961a7412f31030b6bf7c87e6f22af0cef3cb0bce28080dd6033d531df478cb633c1e21b324b66145948a8a70829126291a7c99e096ed0b441a44
-
Filesize
2KB
MD50d77c549df400e1f9d7f50a18087a159
SHA1664a39ca44091093d62d1c59617cc4b1408308e4
SHA2568b7ea8e078426f52e4dfc8ec99cbc01b3ad4a5b932db897c706272bc739e20d4
SHA51258284c88cfce9338c92c98f3a25138f977b131635fbb43699d6521bcf30cb171f1940b2be1bcbb7840abe54458b686cad2797005de579b8dc2e1ea2c4d90aef6
-
Filesize
4KB
MD59f4a9dd096003a29d1445095ccdce0ce
SHA19ec75b55cc1d2922e30197744253b80c355cd0e4
SHA256281b6049cbc0f2f0b752cc8710ce2acc8cfae7bdefafe5bb1e1ef7bc95b7c28a
SHA512464c3bc8a753b2aa157ccc18adf8921841415bb64037de9ce8534b3dee31b9f9e5ff90cb65d505dc47986756310ffde105273253ee6baac0176597a25d2a759e
-
Filesize
1KB
MD5f9b6ac9b419e1595984a40d5cb4c2aa8
SHA13431a55631e88a2b2982c1d39955f4aca6bc83fd
SHA256bc6d6fedb065aa657a1af7e40cc589da1bceabb09ca6d8854172e4cca664cd1a
SHA512e1493ae840bb960031445a2b3560350374c5d0b84eac1cd6634d6b391d95fe542e0463e1bb7e13f9a59c62ad0c2d9856334291821b97973f8550c1985c0e953c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD58725900cc13e01043041b223565619af
SHA10f86aece9161eb0eecac681b54ab16ae294d95a6
SHA25683467aa462325253b65c4792a234e14ff35c020c3eb065339f5a8612c660817f
SHA512193631749ca6e96e61eda7c09762d9547689333f88d35690382e84cab6244b33bd03ff8d857b04715b1a8afd642413967afc6c7d3a0dd3e32b56c57522a8d02b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5ae0740fdc953d2e88d2011bb7cf06a2b
SHA1c8b5a8ce003219d26768a85c6d3296179657eda7
SHA256f8e43cae80d70cc107aeb017e8eaf990b8a6f1738aa2679cbd9539313d2a596f
SHA51283db6b935caaed29430eda7648eb617fd2a105506319602755d6d0e463b2b2c8fb4788f01c5e71766e3804b35b006d6480e3984bd50a17f0da7dbab28d93275b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5afbca6f7724b9854a1f7eb1335a315e3
SHA1233297cbf5df13474b8e24ca10650a0945dca23c
SHA2564b30e3916ccc6be99c38d16a84d4535460e3d8271411a8d05d79281326d6103c
SHA512e1c0e79d7024756f65c73d10f8241851991158bfeac1e0d41fc96de9416bb69267a8ccf445d2ffe4a3ec3a87fb8401092d629f01439c2b6eb117f1c6b4d621ce
-
Filesize
13.2MB
MD504a4ca3ca183c51d43c476f1fbc4dc52
SHA13ac22637c8f62f9df1b0c85605046714b441d3d5
SHA256bc093c11cee90fce5a00be06dad98ae7a32c27ed402331a0f155e944ab53af4e
SHA512b1d96c0aebb83ba8f7407130c976f09d22984afecbdd492bc59fe16e3d381195718db940826d36273e5c5a2c7101980543336c1fb53212b941f154b2a5c6679d
-
Filesize
20KB
MD52347d27745905ac976c2137ea0ef6dd7
SHA1dab8bf4a7a11c0379aea8209b07c94ce5f6b6ae3
SHA256f2dc987e852e4db83d38f06a4682f371692770046b6b0671e6e23a902f3dd42f
SHA51211df2870df8116c3ff276590444d5e4f05d5b014e5c343d50f1adbfbc7ca8202a39ce0c5c5b34d4bfed94a4b046553d6bba17dd58af0b0211a4cd386d3747f26
-
Filesize
1.5MB
MD534c7dcb64f7e1c0fc10ee4c595d0a2f2
SHA165bbf375091a08c3dde4de1bb1ff5a182e3aa4a0
SHA2564f613e0e6487373a99dc830af35ea9eed12b802c698fd1a21950e351de24faf3
SHA512a0a733c6aa4196267550c1577ca29fd2e6f674aa721769d479d9b176f4bd469d357e5ed85a5e915e613221bda83804b5f698e6da685dfd30b9e0d14c3031a126
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
47.4MB
MD56e2bd9da8e4aa5ea5a4ca236bffbff2a
SHA10019332594d0ef67300c3257a2d6c708ffed53a6
SHA25612921122de3b5525aab45bec5e7e0974e5da57914693bba12d5f6234f9e508a9
SHA5120405a1ee08b7f9cdd068df78d7630f187349a75d80cb54952a8f0e1c5693dba6166db0ca469ee3c2d4025bffabe605ebb926a081aa9f3a23a86fe91eb84f6c46
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
20KB
MD5f76c7e0522feac7f22bf8d1dbe42b50c
SHA1eeac2e325dae17242a993f4be748b4f8b0aabed6
SHA256d2bda99bfdadb5e0a9464d841f66c28891c67382e6c044b8e14aa46923601326
SHA51296726be1bf168ae9be28e01f0dfc0c3b611c4d842de90ca71d009aa259f7d273bc094d34f2f7c7e1a6aa06b656d3d192baaac2c39c591610e428bc999132be2b
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
2.1MB
MD5d02d7dc907d19d2e448368d433baebfe
SHA1d66616386e968ddb4661a9f9c1ef8c63403ba8f8
SHA256816fe96f0fff9475069d14cff51def4b823e1423c1aa464961ee6a61f7a62200
SHA5128cf776ec9332fcff9a6a080f39a6c734df4ccfb9bf405232f00d967d80ff4968c248077d90a7eff368ae3d7ac0edc8f504596212bf176364bb5ae37532c7969b
-
Filesize
3.0MB
MD5a48ee000e248741247c24dc70fa2f936
SHA14c814fe7c94e6fb4d1d89cdae7e6e83905c459d7
SHA256bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c
SHA5128bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
448KB
MD5e2114b1627889b250c7fd0425ba1bd54
SHA197412dba3cbeb0125c71b7b2ab194ea2fdff51b2
SHA2565434dfdb731238edcb07a8c3a83594791536dda7a63c29f19be7bb1d59aedd60
SHA51276ca5f677bc8ee1485f3d5b028b3a91f74344e9ff7af3c62a98e737a9888bd35389b3e6bf7b8b67747e0f64e1c973c0708864f12de1388b95f5c31b4e084e2e1
-
Filesize
32B
MD55d52bf0ad56a46b3ec3f0f0cdae0c74e
SHA1128b12c7f5432fa1280eb4d74c4242fa49732f6c
SHA25609c09be4e16f8e9b1ac66e62766affc2a40801dd071a14f073089ac497fe5c48
SHA512abaf7f21d9956b59dea8d761e854a1f67cf7f201c94c5cfae372da6c0da518be45f6d3b31f75e3ac55670ec1a1b5bad49b3e8d3a82fe132413f3761ac1d69f33