Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 01:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe
Resource
win7-20240419-en
windows7-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
31 signatures
150 seconds
General
-
Target
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe
-
Size
23.2MB
-
MD5
aabdecc74290221f555bc6400ceef5c6
-
SHA1
6bf8559dfd409bee873f4e147f31ce313d23f2bc
-
SHA256
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
-
SHA512
880d741faf049b9276c4ab10e6e3a0817ef28cb05f0e00fa3edf814ebf545d3d316dfac022fcff4b8fee9f95e18542e2cf7e89f02702e30409409f40a5fb6bbe
-
SSDEEP
393216:+/NvciCzO7XohRMU0K611YKvcg7dSVqMXDVZm/3hL1/VYs0tvj1Q3QJrSZ0aP54d:+1ciC6ohRMPK6gKzRctVZmf//VYRtvjR
Score
10/10
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral1/files/0x0008000000015d28-23.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" encrypt.exe -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
resource yara_rule behavioral1/files/0x0008000000015d28-23.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects command variations typically used by ransomware 1 IoCs
resource yara_rule behavioral1/files/0x0008000000015d28-23.dat INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs
resource yara_rule behavioral1/files/0x0008000000015d28-23.dat INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables containing commands for clearing Windows Event Logs 1 IoCs
resource yara_rule behavioral1/files/0x0008000000015d28-23.dat INDICATOR_SUSPICIOUS_ClearWinLogs -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 876 bcdedit.exe 2160 bcdedit.exe -
Renames multiple (6742) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1772 wbadmin.exe -
pid Process 2440 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\r.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe encrypt.exe -
Executes dropped EXE 9 IoCs
pid Process 1656 encrypt.exe 2516 encrypt.exe 2292 encrypt.exe 2148 encrypt.exe 2564 encrypt.exe 2940 Everything.exe 1964 Everything.exe 2636 Everything.exe 1960 sdel64.exe -
Loads dropped DLL 22 IoCs
pid Process 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 1656 encrypt.exe 1656 encrypt.exe 2516 encrypt.exe 2292 encrypt.exe 2148 encrypt.exe 2564 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2940 Everything.exe 2940 Everything.exe 2516 encrypt.exe 2192 Process not Found -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" -e all -sd -crc " encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: encrypt.exe File opened (read-only) \??\V: encrypt.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\H: encrypt.exe File opened (read-only) \??\X: encrypt.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\M: encrypt.exe File opened (read-only) \??\Q: encrypt.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\O: encrypt.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\S: encrypt.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\N: encrypt.exe File opened (read-only) \??\J: encrypt.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\G: encrypt.exe File opened (read-only) \??\R: encrypt.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\A: encrypt.exe File opened (read-only) \??\Y: encrypt.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\P: encrypt.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\T: encrypt.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\U: encrypt.exe File opened (read-only) \??\Z: encrypt.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\B: encrypt.exe File opened (read-only) \??\I: encrypt.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\W: encrypt.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\E: encrypt.exe File opened (read-only) \??\L: encrypt.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\V: Everything.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files\DVD Maker\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\[email protected] encrypt.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\[email protected] encrypt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)[email protected] encrypt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\[email protected] encrypt.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] encrypt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\[email protected] encrypt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\[email protected] encrypt.exe File opened for modification C:\Program Files\7-Zip\Lang\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\[email protected] encrypt.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\[email protected] encrypt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\[email protected] encrypt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\[email protected] encrypt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\[email protected] encrypt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\[email protected] encrypt.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\[email protected] encrypt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png.fortservicebackup@gmail.com encrypt.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jre7\lib\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\[email protected] encrypt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\[email protected] encrypt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "mimicfile" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\.com encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2408 notepad.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2292 encrypt.exe 2564 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2564 encrypt.exe 2564 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2292 encrypt.exe 2516 encrypt.exe 2516 encrypt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1656 encrypt.exe Token: SeSecurityPrivilege 1656 encrypt.exe Token: SeTakeOwnershipPrivilege 1656 encrypt.exe Token: SeLoadDriverPrivilege 1656 encrypt.exe Token: SeSystemProfilePrivilege 1656 encrypt.exe Token: SeSystemtimePrivilege 1656 encrypt.exe Token: SeProfSingleProcessPrivilege 1656 encrypt.exe Token: SeIncBasePriorityPrivilege 1656 encrypt.exe Token: SeCreatePagefilePrivilege 1656 encrypt.exe Token: SeBackupPrivilege 1656 encrypt.exe Token: SeRestorePrivilege 1656 encrypt.exe Token: SeShutdownPrivilege 1656 encrypt.exe Token: SeDebugPrivilege 1656 encrypt.exe Token: SeSystemEnvironmentPrivilege 1656 encrypt.exe Token: SeChangeNotifyPrivilege 1656 encrypt.exe Token: SeRemoteShutdownPrivilege 1656 encrypt.exe Token: SeUndockPrivilege 1656 encrypt.exe Token: SeManageVolumePrivilege 1656 encrypt.exe Token: SeImpersonatePrivilege 1656 encrypt.exe Token: SeCreateGlobalPrivilege 1656 encrypt.exe Token: 33 1656 encrypt.exe Token: 34 1656 encrypt.exe Token: 35 1656 encrypt.exe Token: SeIncreaseQuotaPrivilege 2516 encrypt.exe Token: SeSecurityPrivilege 2516 encrypt.exe Token: SeTakeOwnershipPrivilege 2516 encrypt.exe Token: SeLoadDriverPrivilege 2516 encrypt.exe Token: SeSystemProfilePrivilege 2516 encrypt.exe Token: SeSystemtimePrivilege 2516 encrypt.exe Token: SeProfSingleProcessPrivilege 2516 encrypt.exe Token: SeIncBasePriorityPrivilege 2516 encrypt.exe Token: SeCreatePagefilePrivilege 2516 encrypt.exe Token: SeBackupPrivilege 2516 encrypt.exe Token: SeRestorePrivilege 2516 encrypt.exe Token: SeShutdownPrivilege 2516 encrypt.exe Token: SeDebugPrivilege 2516 encrypt.exe Token: SeSystemEnvironmentPrivilege 2516 encrypt.exe Token: SeChangeNotifyPrivilege 2516 encrypt.exe Token: SeRemoteShutdownPrivilege 2516 encrypt.exe Token: SeUndockPrivilege 2516 encrypt.exe Token: SeManageVolumePrivilege 2516 encrypt.exe Token: SeImpersonatePrivilege 2516 encrypt.exe Token: SeCreateGlobalPrivilege 2516 encrypt.exe Token: 33 2516 encrypt.exe Token: 34 2516 encrypt.exe Token: 35 2516 encrypt.exe Token: SeIncreaseQuotaPrivilege 2148 encrypt.exe Token: SeSecurityPrivilege 2148 encrypt.exe Token: SeTakeOwnershipPrivilege 2148 encrypt.exe Token: SeLoadDriverPrivilege 2148 encrypt.exe Token: SeSystemProfilePrivilege 2148 encrypt.exe Token: SeSystemtimePrivilege 2148 encrypt.exe Token: SeProfSingleProcessPrivilege 2148 encrypt.exe Token: SeIncBasePriorityPrivilege 2148 encrypt.exe Token: SeCreatePagefilePrivilege 2148 encrypt.exe Token: SeBackupPrivilege 2148 encrypt.exe Token: SeRestorePrivilege 2148 encrypt.exe Token: SeShutdownPrivilege 2148 encrypt.exe Token: SeDebugPrivilege 2148 encrypt.exe Token: SeSystemEnvironmentPrivilege 2148 encrypt.exe Token: SeChangeNotifyPrivilege 2148 encrypt.exe Token: SeRemoteShutdownPrivilege 2148 encrypt.exe Token: SeUndockPrivilege 2148 encrypt.exe Token: SeManageVolumePrivilege 2148 encrypt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2940 Everything.exe 2636 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1656 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 28 PID 2208 wrote to memory of 1656 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 28 PID 2208 wrote to memory of 1656 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 28 PID 2208 wrote to memory of 1656 2208 a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe 28 PID 1656 wrote to memory of 2516 1656 encrypt.exe 29 PID 1656 wrote to memory of 2516 1656 encrypt.exe 29 PID 1656 wrote to memory of 2516 1656 encrypt.exe 29 PID 1656 wrote to memory of 2516 1656 encrypt.exe 29 PID 2516 wrote to memory of 2148 2516 encrypt.exe 30 PID 2516 wrote to memory of 2148 2516 encrypt.exe 30 PID 2516 wrote to memory of 2148 2516 encrypt.exe 30 PID 2516 wrote to memory of 2148 2516 encrypt.exe 30 PID 2516 wrote to memory of 2292 2516 encrypt.exe 31 PID 2516 wrote to memory of 2292 2516 encrypt.exe 31 PID 2516 wrote to memory of 2292 2516 encrypt.exe 31 PID 2516 wrote to memory of 2292 2516 encrypt.exe 31 PID 2516 wrote to memory of 2564 2516 encrypt.exe 32 PID 2516 wrote to memory of 2564 2516 encrypt.exe 32 PID 2516 wrote to memory of 2564 2516 encrypt.exe 32 PID 2516 wrote to memory of 2564 2516 encrypt.exe 32 PID 2516 wrote to memory of 2940 2516 encrypt.exe 33 PID 2516 wrote to memory of 2940 2516 encrypt.exe 33 PID 2516 wrote to memory of 2940 2516 encrypt.exe 33 PID 2516 wrote to memory of 2940 2516 encrypt.exe 33 PID 2516 wrote to memory of 1316 2516 encrypt.exe 34 PID 2516 wrote to memory of 1316 2516 encrypt.exe 34 PID 2516 wrote to memory of 1316 2516 encrypt.exe 34 PID 2516 wrote to memory of 1316 2516 encrypt.exe 34 PID 2516 wrote to memory of 656 2516 encrypt.exe 35 PID 2516 wrote to memory of 656 2516 encrypt.exe 35 PID 2516 wrote to memory of 656 2516 encrypt.exe 35 PID 2516 wrote to memory of 656 2516 encrypt.exe 35 PID 2516 wrote to memory of 1960 2516 encrypt.exe 36 PID 2516 wrote to memory of 1960 2516 encrypt.exe 36 PID 2516 wrote to memory of 1960 2516 encrypt.exe 36 PID 2516 wrote to memory of 1960 2516 encrypt.exe 36 PID 2516 wrote to memory of 896 2516 encrypt.exe 37 PID 2516 wrote to memory of 896 2516 encrypt.exe 37 PID 2516 wrote to memory of 896 2516 encrypt.exe 37 PID 2516 wrote to memory of 896 2516 encrypt.exe 37 PID 2516 wrote to memory of 1532 2516 encrypt.exe 38 PID 2516 wrote to memory of 1532 2516 encrypt.exe 38 PID 2516 wrote to memory of 1532 2516 encrypt.exe 38 PID 2516 wrote to memory of 1532 2516 encrypt.exe 38 PID 2516 wrote to memory of 1748 2516 encrypt.exe 39 PID 2516 wrote to memory of 1748 2516 encrypt.exe 39 PID 2516 wrote to memory of 1748 2516 encrypt.exe 39 PID 2516 wrote to memory of 1748 2516 encrypt.exe 39 PID 2516 wrote to memory of 1552 2516 encrypt.exe 40 PID 2516 wrote to memory of 1552 2516 encrypt.exe 40 PID 2516 wrote to memory of 1552 2516 encrypt.exe 40 PID 2516 wrote to memory of 1552 2516 encrypt.exe 40 PID 2516 wrote to memory of 1556 2516 encrypt.exe 41 PID 2516 wrote to memory of 1556 2516 encrypt.exe 41 PID 2516 wrote to memory of 1556 2516 encrypt.exe 41 PID 2516 wrote to memory of 1556 2516 encrypt.exe 41 PID 2516 wrote to memory of 1660 2516 encrypt.exe 42 PID 2516 wrote to memory of 1660 2516 encrypt.exe 42 PID 2516 wrote to memory of 1660 2516 encrypt.exe 42 PID 2516 wrote to memory of 1660 2516 encrypt.exe 42 PID 2516 wrote to memory of 1776 2516 encrypt.exe 43 PID 2516 wrote to memory of 1776 2516 encrypt.exe 43 PID 2516 wrote to memory of 1776 2516 encrypt.exe 43 PID 2516 wrote to memory of 1776 2516 encrypt.exe 43 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" encrypt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe"C:\Users\Admin\AppData\Local\Temp\a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\tempenc\encrypt.exe"C:\tempenc\encrypt.exe" -e all -sd -crc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e all -sd -crc3⤵
- Modifies security service
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 2516 -! -e all -sd -crc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Users\Admin\AppData\Local\encrypt\Everything.exe"C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -startup4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2940 -
C:\Users\Admin\AppData\Local\encrypt\Everything.exe"C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -app-data5⤵
- Executes dropped EXE
PID:1964
-
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -H off4⤵PID:1316
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:656
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1960
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:896
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1532
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1748
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1552
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1556
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1660
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1776
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2312
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:2128
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:884
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:1324
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:1972
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:876
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2160
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1772
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:2440
-
-
C:\Users\Admin\AppData\Local\encrypt\Everything.exe"C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"4⤵
- Opens file in notepad (likely ransom note)
PID:2408
-
-
C:\Users\Admin\AppData\Local\encrypt\sdel64.exe"C:\Users\Admin\AppData\Local\encrypt\sdel64.exe" -accepteula -p 3 -c C:\4⤵
- Executes dropped EXE
PID:1960
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1352
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2812
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2820
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2360
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.3MB
MD5828a3d4667743d8a82a78d65f3f82151
SHA1ea6354954f4dda411f5f4c11a691eeb8157df340
SHA25683a9f6138d1b02378099345da3fde4a089c32e1a943573a5182df032ab5458e9
SHA51231163723a29a3d6f4d38875336a475bf6c78f4340212d4bc324e45e5244d825459825f49855c5b553e1fbc098d90357f03a290e803530afe7d61511527450e01
-
Filesize
1KB
MD5f9b6ac9b419e1595984a40d5cb4c2aa8
SHA13431a55631e88a2b2982c1d39955f4aca6bc83fd
SHA256bc6d6fedb065aa657a1af7e40cc589da1bceabb09ca6d8854172e4cca664cd1a
SHA512e1493ae840bb960031445a2b3560350374c5d0b84eac1cd6634d6b391d95fe542e0463e1bb7e13f9a59c62ad0c2d9856334291821b97973f8550c1985c0e953c
-
Filesize
9.3MB
MD574c097be723d7faf70f06a38a2dc0565
SHA1a6a52460afaafa62cad43efb30d7b6f5868cec26
SHA256a3a768174b09e6d56fee80d6e0b44af0e4e526fff678315e9756b3d0c4571041
SHA5127549abafd8f1d3547999edffa2d018cfba4a7b397dff2d339bb6ef2e4c810607091aebf89bcaffbfa9838819d05c9193f31dedf7006373f31428afdc8da78bdc
-
Filesize
20KB
MD57041a21e555cf31b0ca891d7e9b08c9c
SHA15ed26f24b7b793f21747dc974abbd6927942495a
SHA2568bab2afcb05e2f59fbcc954e33d558afa6fbccd93cb6d51c40dc062cf7685f04
SHA51251ff4408e56db410c3e29296c0cbb167a8caf36041656802c68773d7d519f87af6155220ea11f25231c80c738cddd5f747b44d43ad332aca10edbd67870596ed
-
Filesize
215B
MD5d1f6937ee22c4c2a33cdc7c76f4a5ab6
SHA1eda5a1e7ec1036ae9805567bb36e4fbe57b5c262
SHA256905fbc87bb075de3106631b4cc6973110b175bd607e728ca28e637232d438e75
SHA512a8f7ccc6d6deed765dedccbd81bfedfca1d0c8ce4085d484ea98c432a7096a0f5ad08d2e934f6f8d28f35a55c879cb3e6e35a7127149f82ae7061c174ecc59c3
-
Filesize
1.8MB
MD50064f7f6c81b95b24353f1310b3e3ed5
SHA138e893fd60d11bf674319177e6e8cdfc3a2b7215
SHA256424f12cf2957937e1aa8fea6d5b2380780c89b6271f52d729b9fcafe0a5334d3
SHA51281972839f6762d6cc6b40b67826c1248466732f10ab8104ed60c816c27fe63a304636ecceebc02fe228372a54b10db01f8fa4ea65569e81634366066e5004a21
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
47.4MB
MD56e2bd9da8e4aa5ea5a4ca236bffbff2a
SHA10019332594d0ef67300c3257a2d6c708ffed53a6
SHA25612921122de3b5525aab45bec5e7e0974e5da57914693bba12d5f6234f9e508a9
SHA5120405a1ee08b7f9cdd068df78d7630f187349a75d80cb54952a8f0e1c5693dba6166db0ca469ee3c2d4025bffabe605ebb926a081aa9f3a23a86fe91eb84f6c46
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
20KB
MD5f76c7e0522feac7f22bf8d1dbe42b50c
SHA1eeac2e325dae17242a993f4be748b4f8b0aabed6
SHA256d2bda99bfdadb5e0a9464d841f66c28891c67382e6c044b8e14aa46923601326
SHA51296726be1bf168ae9be28e01f0dfc0c3b611c4d842de90ca71d009aa259f7d273bc094d34f2f7c7e1a6aa06b656d3d192baaac2c39c591610e428bc999132be2b
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
2.1MB
MD5d02d7dc907d19d2e448368d433baebfe
SHA1d66616386e968ddb4661a9f9c1ef8c63403ba8f8
SHA256816fe96f0fff9475069d14cff51def4b823e1423c1aa464961ee6a61f7a62200
SHA5128cf776ec9332fcff9a6a080f39a6c734df4ccfb9bf405232f00d967d80ff4968c248077d90a7eff368ae3d7ac0edc8f504596212bf176364bb5ae37532c7969b
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
448KB
MD5e2114b1627889b250c7fd0425ba1bd54
SHA197412dba3cbeb0125c71b7b2ab194ea2fdff51b2
SHA2565434dfdb731238edcb07a8c3a83594791536dda7a63c29f19be7bb1d59aedd60
SHA51276ca5f677bc8ee1485f3d5b028b3a91f74344e9ff7af3c62a98e737a9888bd35389b3e6bf7b8b67747e0f64e1c973c0708864f12de1388b95f5c31b4e084e2e1
-
Filesize
32B
MD55d52bf0ad56a46b3ec3f0f0cdae0c74e
SHA1128b12c7f5432fa1280eb4d74c4242fa49732f6c
SHA25609c09be4e16f8e9b1ac66e62766affc2a40801dd071a14f073089ac497fe5c48
SHA512abaf7f21d9956b59dea8d761e854a1f67cf7f201c94c5cfae372da6c0da518be45f6d3b31f75e3ac55670ec1a1b5bad49b3e8d3a82fe132413f3761ac1d69f33
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3.0MB
MD5a48ee000e248741247c24dc70fa2f936
SHA14c814fe7c94e6fb4d1d89cdae7e6e83905c459d7
SHA256bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c
SHA5128bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34