Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
Resource
win10v2004-20240419-en
General
-
Target
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
-
Size
131KB
-
MD5
5dd451691d249335fe3918b9865814d5
-
SHA1
da0b239b102c5266c1c2cb15b7c42b0a54b1ca23
-
SHA256
aff75f4ea273d6ab7a9cb9023c37ab723c827ca2a630342dd0054d9c4f0c1227
-
SHA512
c1d0a729ca243a192df7753c382a6ed503002b310ab7648f4fcc4618a8647366356aebb01a1e707fb9a1a75396d2a43436028b1099e35d96deef170fc917e8e6
-
SSDEEP
1536:EAzqL19QneOJQObmI/yPJJHAE4qJvbfxsIzAaVVlo/ba5CabNF+FsBDIQlfJ2hMM:PqtOJRf/yxJAmlRVHFb5J2yos2T
Malware Config
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xmfir0.win/97BC-92FC-07E2-006F-5897
http://cerberhhyed5frqa.gkfit9.win/97BC-92FC-07E2-006F-5897
http://cerberhhyed5frqa.305iot.win/97BC-92FC-07E2-006F-5897
http://cerberhhyed5frqa.dkrti5.win/97BC-92FC-07E2-006F-5897
http://cerberhhyed5frqa.cneo59.win/97BC-92FC-07E2-006F-5897
http://cerberhhyed5frqa.onion/97BC-92FC-07E2-006F-5897
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16404) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
CheckNetIsolation.exe09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" CheckNetIsolation.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CheckNetIsolation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation CheckNetIsolation.exe -
Drops startup file 2 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeCheckNetIsolation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\CheckNetIsolation.lnk 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\CheckNetIsolation.lnk CheckNetIsolation.exe -
Executes dropped EXE 1 IoCs
Processes:
CheckNetIsolation.exepid process 2052 CheckNetIsolation.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeCheckNetIsolation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CheckNetIsolation = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CheckNetIsolation = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CheckNetIsolation = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" CheckNetIsolation.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CheckNetIsolation = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" CheckNetIsolation.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CheckNetIsolation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA4A7.bmp" CheckNetIsolation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 928 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 464 taskkill.exe 5560 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exeCheckNetIsolation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop CheckNetIsolation.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\\CheckNetIsolation.exe\"" CheckNetIsolation.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe -
Modifies registry class 1 IoCs
Processes:
CheckNetIsolation.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings CheckNetIsolation.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
CheckNetIsolation.exemsedge.exemsedge.exeidentity_helper.exepid process 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 2052 CheckNetIsolation.exe 4580 msedge.exe 4580 msedge.exe 1460 msedge.exe 1460 msedge.exe 4068 identity_helper.exe 4068 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exetaskkill.exeCheckNetIsolation.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe Token: SeDebugPrivilege 464 taskkill.exe Token: SeDebugPrivilege 2052 CheckNetIsolation.exe Token: SeBackupPrivilege 4928 vssvc.exe Token: SeRestorePrivilege 4928 vssvc.exe Token: SeAuditPrivilege 4928 vssvc.exe Token: SeIncreaseQuotaPrivilege 4448 wmic.exe Token: SeSecurityPrivilege 4448 wmic.exe Token: SeTakeOwnershipPrivilege 4448 wmic.exe Token: SeLoadDriverPrivilege 4448 wmic.exe Token: SeSystemProfilePrivilege 4448 wmic.exe Token: SeSystemtimePrivilege 4448 wmic.exe Token: SeProfSingleProcessPrivilege 4448 wmic.exe Token: SeIncBasePriorityPrivilege 4448 wmic.exe Token: SeCreatePagefilePrivilege 4448 wmic.exe Token: SeBackupPrivilege 4448 wmic.exe Token: SeRestorePrivilege 4448 wmic.exe Token: SeShutdownPrivilege 4448 wmic.exe Token: SeDebugPrivilege 4448 wmic.exe Token: SeSystemEnvironmentPrivilege 4448 wmic.exe Token: SeRemoteShutdownPrivilege 4448 wmic.exe Token: SeUndockPrivilege 4448 wmic.exe Token: SeManageVolumePrivilege 4448 wmic.exe Token: 33 4448 wmic.exe Token: 34 4448 wmic.exe Token: 35 4448 wmic.exe Token: 36 4448 wmic.exe Token: SeIncreaseQuotaPrivilege 4448 wmic.exe Token: SeSecurityPrivilege 4448 wmic.exe Token: SeTakeOwnershipPrivilege 4448 wmic.exe Token: SeLoadDriverPrivilege 4448 wmic.exe Token: SeSystemProfilePrivilege 4448 wmic.exe Token: SeSystemtimePrivilege 4448 wmic.exe Token: SeProfSingleProcessPrivilege 4448 wmic.exe Token: SeIncBasePriorityPrivilege 4448 wmic.exe Token: SeCreatePagefilePrivilege 4448 wmic.exe Token: SeBackupPrivilege 4448 wmic.exe Token: SeRestorePrivilege 4448 wmic.exe Token: SeShutdownPrivilege 4448 wmic.exe Token: SeDebugPrivilege 4448 wmic.exe Token: SeSystemEnvironmentPrivilege 4448 wmic.exe Token: SeRemoteShutdownPrivilege 4448 wmic.exe Token: SeUndockPrivilege 4448 wmic.exe Token: SeManageVolumePrivilege 4448 wmic.exe Token: 33 4448 wmic.exe Token: 34 4448 wmic.exe Token: 35 4448 wmic.exe Token: 36 4448 wmic.exe Token: 33 4284 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4284 AUDIODG.EXE Token: SeDebugPrivilege 5560 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.execmd.exeCheckNetIsolation.exemsedge.exedescription pid process target process PID 2092 wrote to memory of 2052 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe CheckNetIsolation.exe PID 2092 wrote to memory of 2052 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe CheckNetIsolation.exe PID 2092 wrote to memory of 2052 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe CheckNetIsolation.exe PID 2092 wrote to memory of 4916 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 2092 wrote to memory of 4916 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 2092 wrote to memory of 4916 2092 09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe cmd.exe PID 4916 wrote to memory of 464 4916 cmd.exe taskkill.exe PID 4916 wrote to memory of 464 4916 cmd.exe taskkill.exe PID 4916 wrote to memory of 464 4916 cmd.exe taskkill.exe PID 2052 wrote to memory of 928 2052 CheckNetIsolation.exe vssadmin.exe PID 2052 wrote to memory of 928 2052 CheckNetIsolation.exe vssadmin.exe PID 4916 wrote to memory of 4428 4916 cmd.exe PING.EXE PID 4916 wrote to memory of 4428 4916 cmd.exe PING.EXE PID 4916 wrote to memory of 4428 4916 cmd.exe PING.EXE PID 2052 wrote to memory of 4448 2052 CheckNetIsolation.exe wmic.exe PID 2052 wrote to memory of 4448 2052 CheckNetIsolation.exe wmic.exe PID 2052 wrote to memory of 1460 2052 CheckNetIsolation.exe msedge.exe PID 2052 wrote to memory of 1460 2052 CheckNetIsolation.exe msedge.exe PID 1460 wrote to memory of 4584 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4584 1460 msedge.exe msedge.exe PID 2052 wrote to memory of 2148 2052 CheckNetIsolation.exe NOTEPAD.EXE PID 2052 wrote to memory of 2148 2052 CheckNetIsolation.exe NOTEPAD.EXE PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4712 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4580 1460 msedge.exe msedge.exe PID 1460 wrote to memory of 4580 1460 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\CheckNetIsolation.exe"C:\Users\Admin\AppData\Roaming\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\CheckNetIsolation.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd832846f8,0x7ffd83284708,0x7ffd832847184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5343767205800916713,13810804926132651009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfir0.win/97BC-92FC-07E2-006F-58973⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd832846f8,0x7ffd83284708,0x7ffd832847184⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "CheckNetIsolation.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\CheckNetIsolation.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "CheckNetIsolation.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x47c 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51cbd0e9a14155b7f5d4f542d09a83153
SHA127a442a921921d69743a8e4b76ff0b66016c4b76
SHA256243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c
SHA51217e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54e96ed67859d0bafd47d805a71041f49
SHA17806c54ae29a6c8d01dcbc78e5525ddde321b16b
SHA256bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d
SHA512432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5685d42a8971411005c4077d020cb850e
SHA17bf47fe6f04544ad060ac78dac670061b673fdd6
SHA2564aff49675c10e017ea92f1308f25bd972dd14af1c68d5869cd97340264c96c98
SHA512c91b4548aff1394d1898bb0bbfd06d96d20087dd5040e28cba165e1f6da778b6865559faf0cee1b2a25a8662afee44b4f0a21fe5d9cff17b6c991399ce547424
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e3eb6570-122d-4361-857f-29e1368ad2f6.tmpFilesize
5KB
MD5b60100bcef186e3b1da4ac7e912f70c9
SHA100c6c8a814cbdffa485c828d11f8b8dcc875d410
SHA256fb21dc8514f0975611d9564eced041bf1b83af2f7228611cb4b9cbdbbff24d06
SHA51288b923fa1ca1ba230116c300297ca01119e9c19696d51bb29b37ea98ee5fa1cc37861b69042d7f8e1a6669db55ce86a344ccb10e93afa546242e0b96240e2de0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58344772358877595c9f41ebb53b73c29
SHA118eaadd02dfbf6b7a327f1ddb5a31250ce858311
SHA25614d2e042d1a944c117fdf722d6d42ae1a3bdbd61d15167a960fb8ff3a268fbc2
SHA512c328c4f54c8c68954efdb7e7786775423891754cfd048e1aec1b488956c0013ee91e2af11a346a062b1228343368e87f1aaaafe6ebd8c23d38e011c6dc811ff4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\CheckNetIsolation.lnkFilesize
1KB
MD5f0debc754bd2a3453de5898ab401e286
SHA13482f0def83ef727c4de178faa7fec1197931399
SHA256f6be392a730ec25206e89ef671cec121b4deffd67be556f661bdda7cb437a207
SHA51283d5fb1f468f551ec0d29c5f5978961f416f3c24fbc66a1fd65e54904fd428d7f72093f1aa50e3cf8c216074bf18b7e40748f2d7bc72307bd85074bbebd6dc05
-
C:\Users\Admin\AppData\Roaming\{E0802A28-45A9-10E6-D5E5-8AECBC5298F4}\CheckNetIsolation.exeFilesize
131KB
MD55dd451691d249335fe3918b9865814d5
SHA1da0b239b102c5266c1c2cb15b7c42b0a54b1ca23
SHA256aff75f4ea273d6ab7a9cb9023c37ab723c827ca2a630342dd0054d9c4f0c1227
SHA512c1d0a729ca243a192df7753c382a6ed503002b310ab7648f4fcc4618a8647366356aebb01a1e707fb9a1a75396d2a43436028b1099e35d96deef170fc917e8e6
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.htmlFilesize
12KB
MD563c76c6ab7d505330e20221b53757791
SHA10224b9849a358ba202f81bb8013ec5bfa609cc64
SHA25672cfba98834ca77efa8e39c398aa3cfaacb7825a52474db3c852ebe1bd98dc14
SHA512e2faa252a7e7c61436cfe0a69a1b99cbcf6f2863e0cfe56904790b3a043fd3d4ee65193be0fe694108f34691ac2b20402433a53d8082cb2436bf419ac50cc3b4
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txtFilesize
10KB
MD528df885d668210f2355be075e4dfe4b4
SHA1dbd0b37e1212ffa45f23c42995aadf4d2970545e
SHA25682789564a3d2b531c036df548006d4fd86c0e1c542b74ba3ad13875b60011aa4
SHA5120485d8280089010a12f128800c2229a08078c68dbbf775a0daac47c20f97418a17a5a861c151584d8ebc75dd4b83b10cbc6e64fe14eb1cae0435c1491e84140a
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.urlFilesize
85B
MD5245eacad12a71a02e65e56237535f27d
SHA1143058ac1f01b37625eba2820556fcc6c8476eea
SHA2567d6ce5ff7c3808e4fcc4285017bf9700589adf52e8fabfda3882b555418f936e
SHA51242178b3f7ee1b79e006dea61128f21000dfcadbbb908e960a1d4a37f80366d85fac5efaeb9bc9afaafb72e90941976115a48cf3922617df62680c853aaceae86
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
\??\pipe\LOCAL\crashpad_1460_WEZUYYJDFWYFZEKXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2052-18-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2052-22-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2052-16-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2052-14-0x00000000034B0000-0x00000000034B1000-memory.dmpFilesize
4KB
-
memory/2052-12-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2052-11-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2052-381-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2052-399-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2092-0-0x00000000004A0000-0x00000000004B6000-memory.dmpFilesize
88KB
-
memory/2092-10-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2092-1-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB