Analysis
-
max time kernel
164s -
max time network
126s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2024 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
300 seconds
Behavioral task
behavioral2
Sample
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe
Resource
win10-20240404-en
windows10-1703-x64
17 signatures
300 seconds
General
-
Target
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe
-
Size
5.8MB
-
MD5
e7d5201947829fd265a0356771fbeb63
-
SHA1
6c90b89aad04f38c584fcee1d47fed9cd79f8ef1
-
SHA256
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9
-
SHA512
e3442ecebdb29ea722142f9a1a533b8fe6297b9e6923cf290cc3850287a864059bb17709ee03ce134f36d5e333a36a9c37345507a7f9fbd007ca8fbf89abce31
-
SSDEEP
98304:yfUTMfcltw7HaqKN2A2lO8azKowdWr6z3h4q1KIqoS4aMTlcMmbFLOAkGkzdnEVk:2UiEsGE/r1R4q8IqoSP4cMmbFLOyomFI
Malware Config
Extracted
Path
C:\Program Files (x86)\instructions_read_me.txt
Family
blackbasta
Ransom Note
ATTENTION!
Your network has been breached and all data was encrypted. Please contact us at:
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Login ID: 71ff8714-d2ca-417c-a73d-ec34d289178a
*!* To access .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
*!* To restore all your PCs and get your network working again, follow these instructions:
- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.
Please follow these simple rules to avoid data corruption:
- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
Waiting you in a chat.
URLs
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe" b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\ProtectionManagement.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\priidu.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\ui-strings.js b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\gameEnd_preview_image.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-32.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7cb.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-100.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-400.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\compare_poster.jpg b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Windows Defender\SymSrv.yes b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxManifest.xml b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-60.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-100.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\ui-strings.js b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\in_16x11.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_casualgames_728x90.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-unplated.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-200.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\fable.jpg b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\clrcompression.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxSignature.p7x b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files\VideoLAN\VLC\locale\sw\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\1s.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\punch.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.dll b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\instructions_read_me.txt b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-white.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WideTile.scale-200.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1h.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3000 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies registry class 21 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1o5x619pc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1o5x619pc\DefaultIcon b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1o5x619pc b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1396 notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1164 vssvc.exe Token: SeRestorePrivilege 1164 vssvc.exe Token: SeAuditPrivilege 1164 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 3916 SearchUI.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 420 wrote to memory of 2896 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 74 PID 420 wrote to memory of 2896 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 74 PID 420 wrote to memory of 2896 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 74 PID 2896 wrote to memory of 3000 2896 cmd.exe 76 PID 2896 wrote to memory of 3000 2896 cmd.exe 76 PID 420 wrote to memory of 1348 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 85 PID 420 wrote to memory of 1348 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 85 PID 420 wrote to memory of 1348 420 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 85 PID 1348 wrote to memory of 1396 1348 cmd.exe 87 PID 1348 wrote to memory of 1396 1348 cmd.exe 87 PID 1348 wrote to memory of 1396 1348 cmd.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe"C:\Users\Admin\AppData\Local\Temp\b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\notepad.exenotepad.exe c:\instructions_read_me.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1396
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56afeff98a2aa3f4404a8a915a8531fc3
SHA1788bc5e201c38276b0a2878d4cacdd4cf08ab248
SHA256744b2fa15e5676fa2a729b23a73534db2a426a22c3eadbc61409cd6936dee9fc
SHA5124e355389461e865070dff850b432198afdd0d3a685098a99032d51e425a5b33ed23425a74bac8d94bd30cc766e3516f0d778983b7c498846d5dc07188fd0fa12