chaos | f3c1bfeb62067c797eb43f47daec11e72c0cbc85d5c26ca001caba5f2732d20a

Analysis

max time kernel
135s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 15:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Convert_mp4_to_mkv.exe
Size

290KB
MD5

62878b796562c411dd59d57dc2076967
SHA1

8f49669864e863ba3a081fe3bd10d88bfc01a10f
SHA256

f3c1bfeb62067c797eb43f47daec11e72c0cbc85d5c26ca001caba5f2732d20a
SHA512

49dd25c2c071376ccdf18ca2bc9d6c03a12226d1bd5e7cc04184d87b9e68c75cd4b4b3bd4d135ede3c821a65609ee26d97adecad9b89ccc5dfdc185d6c5b3795
SSDEEP

3072:H4dzVTaer344JzthRZijQ1Jf12bj8E7bwcZflRVGLDyHzZLB3VDELbkWSecuwjZf:HmRHz4mnREj21g3J/bwGLjejjH6erO

Score

10^/10

chaos defense_evasion evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016ccf-25.dat	family_chaos
behavioral1/memory/2552-27-0x0000000001160000-0x00000000011C4000-memory.dmp	family_chaos
behavioral1/memory/3000-44-0x0000000000E30000-0x0000000000E94000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1048	bcdedit.exe
2244	bcdedit.exe

Renames multiple (200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2304	wbadmin.exe

Disables Task Manager via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.url	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Defender.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	Windows Defender.exe

Executes dropped EXE 4 IoCs

pid	Process
2612	MBR.exe
2552	Windows_Mania_WannaCry_Removal.exe
3000	Windows Defender.exe
1684	SystemBlocker_Interface.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x0000000140000000-0x0000000140083000-memory.dmp	upx
behavioral1/memory/2184-29-0x0000000140000000-0x0000000140083000-memory.dmp	upx

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Windows Defender.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Windows Defender.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Windows Defender.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p5uz7l82q.jpg"	Windows Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1908	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1616	taskkill.exe
2544	taskkill.exe
2188	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2880	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2380	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3000	Windows Defender.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1684	SystemBlocker_Interface.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2552	Windows_Mania_WannaCry_Removal.exe
2552	Windows_Mania_WannaCry_Removal.exe
2552	Windows_Mania_WannaCry_Removal.exe
3000	Windows Defender.exe
3000	Windows Defender.exe
3000	Windows Defender.exe
3000	Windows Defender.exe
3000	Windows Defender.exe
3000	Windows Defender.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeDebugPrivilege	2552	Windows_Mania_WannaCry_Removal.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeDebugPrivilege	3000	Windows Defender.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeBackupPrivilege	2480	vssvc.exe
Token: SeRestorePrivilege	2480	vssvc.exe
Token: SeAuditPrivilege	2480	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe
Token: 33	1504	WMIC.exe
Token: 34	1504	WMIC.exe
Token: 35	1504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe
Token: 33	1504	WMIC.exe
Token: 34	1504	WMIC.exe
Token: 35	1504	WMIC.exe
Token: SeBackupPrivilege	1528	wbengine.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2524	2184	Convert_mp4_to_mkv.exe	28
PID 2184 wrote to memory of 2524	2184	Convert_mp4_to_mkv.exe	28
PID 2184 wrote to memory of 2524	2184	Convert_mp4_to_mkv.exe	28
PID 2524 wrote to memory of 2612	2524	cmd.exe	30
PID 2524 wrote to memory of 2612	2524	cmd.exe	30
PID 2524 wrote to memory of 2612	2524	cmd.exe	30
PID 2524 wrote to memory of 2760	2524	cmd.exe	31
PID 2524 wrote to memory of 2760	2524	cmd.exe	31
PID 2524 wrote to memory of 2760	2524	cmd.exe	31
PID 2524 wrote to memory of 2532	2524	cmd.exe	32
PID 2524 wrote to memory of 2532	2524	cmd.exe	32
PID 2524 wrote to memory of 2532	2524	cmd.exe	32
PID 2524 wrote to memory of 2516	2524	cmd.exe	33
PID 2524 wrote to memory of 2516	2524	cmd.exe	33
PID 2524 wrote to memory of 2516	2524	cmd.exe	33
PID 2524 wrote to memory of 1656	2524	cmd.exe	34
PID 2524 wrote to memory of 1656	2524	cmd.exe	34
PID 2524 wrote to memory of 1656	2524	cmd.exe	34
PID 2524 wrote to memory of 2744	2524	cmd.exe	35
PID 2524 wrote to memory of 2744	2524	cmd.exe	35
PID 2524 wrote to memory of 2744	2524	cmd.exe	35
PID 2524 wrote to memory of 2544	2524	cmd.exe	36
PID 2524 wrote to memory of 2544	2524	cmd.exe	36
PID 2524 wrote to memory of 2544	2524	cmd.exe	36
PID 2524 wrote to memory of 2420	2524	cmd.exe	38
PID 2524 wrote to memory of 2420	2524	cmd.exe	38
PID 2524 wrote to memory of 2420	2524	cmd.exe	38
PID 2524 wrote to memory of 2552	2524	cmd.exe	39
PID 2524 wrote to memory of 2552	2524	cmd.exe	39
PID 2524 wrote to memory of 2552	2524	cmd.exe	39
PID 2524 wrote to memory of 2380	2524	cmd.exe	40
PID 2524 wrote to memory of 2380	2524	cmd.exe	40
PID 2524 wrote to memory of 2380	2524	cmd.exe	40
PID 2552 wrote to memory of 3000	2552	Windows_Mania_WannaCry_Removal.exe	44
PID 2552 wrote to memory of 3000	2552	Windows_Mania_WannaCry_Removal.exe	44
PID 2552 wrote to memory of 3000	2552	Windows_Mania_WannaCry_Removal.exe	44
PID 2524 wrote to memory of 2188	2524	cmd.exe	46
PID 2524 wrote to memory of 2188	2524	cmd.exe	46
PID 2524 wrote to memory of 2188	2524	cmd.exe	46
PID 2524 wrote to memory of 1616	2524	cmd.exe	47
PID 2524 wrote to memory of 1616	2524	cmd.exe	47
PID 2524 wrote to memory of 1616	2524	cmd.exe	47
PID 2524 wrote to memory of 1684	2524	cmd.exe	48
PID 2524 wrote to memory of 1684	2524	cmd.exe	48
PID 2524 wrote to memory of 1684	2524	cmd.exe	48
PID 2524 wrote to memory of 1684	2524	cmd.exe	48
PID 2524 wrote to memory of 2940	2524	cmd.exe	49
PID 2524 wrote to memory of 2940	2524	cmd.exe	49
PID 2524 wrote to memory of 2940	2524	cmd.exe	49
PID 3000 wrote to memory of 2840	3000	Windows Defender.exe	51
PID 3000 wrote to memory of 2840	3000	Windows Defender.exe	51
PID 3000 wrote to memory of 2840	3000	Windows Defender.exe	51
PID 2840 wrote to memory of 1908	2840	cmd.exe	53
PID 2840 wrote to memory of 1908	2840	cmd.exe	53
PID 2840 wrote to memory of 1908	2840	cmd.exe	53
PID 2840 wrote to memory of 1504	2840	cmd.exe	56
PID 2840 wrote to memory of 1504	2840	cmd.exe	56
PID 2840 wrote to memory of 1504	2840	cmd.exe	56
PID 3000 wrote to memory of 2204	3000	Windows Defender.exe	57
PID 3000 wrote to memory of 2204	3000	Windows Defender.exe	57
PID 3000 wrote to memory of 2204	3000	Windows Defender.exe	57
PID 2204 wrote to memory of 1048	2204	cmd.exe	59
PID 2204 wrote to memory of 1048	2204	cmd.exe	59
PID 2204 wrote to memory of 1048	2204	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe
"C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\7F3F.tmp\7F40.bat C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\MBR.exe
    MBR.exe
    3⤵
    - Executes dropped EXE
    PID:2612
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogOff" /t REG_DWORD /d 1 /f
    3⤵
    PID:2760
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
    3⤵
    PID:2516
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:1656
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "shutdownwithoutlogon" /t REG_DWORD /d 0 /f
    3⤵
    PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\Windows_Mania_WannaCry_Removal.exe
    Windows_Mania_WannaCry_Removal.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1908
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1048
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:1920
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:2304
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2880
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 70
    3⤵
    - Runs ping.exe
    PID:2380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im notepad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\SystemBlocker_Interface.exe
    SystemBlocker_Interface.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1684
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\voice.vbs"
    3⤵
    PID:2940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1736

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\7F3F.tmp\7F40.bat

Filesize
845B

MD5
0785859d5f83bf5807e578547200037e

SHA1
1138b2cce9781ff7f21581106e5618a4322e04a4

SHA256
6f9bd0980bc9df446a12d92013a9fbe33ff79cf35b27809418c5c16344b2fdad

SHA512
82c53ff7682b615844fe164a6c07f16b60a743e2b140ef3fd3f3094a22ea7a9974933cb6b8077d68348b1705ac87280709792f6fd5faa7bed9da632452525729

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\MBR.exe

Filesize
9KB

MD5
3e3286fdcbe16763fe0624d83c075e0e

SHA1
e9cab7c4be74edefde1a86b95b155d8507b1bb76

SHA256
c3fac331c62e1838ccb2cdf958c7b3d437415d1650c919235adf437bd756f40f

SHA512
a396bb94eac41ed9d97d06208d28dc64757e7d3ec4e95a0434b922de6742fa65e136a3e316a8566c6465558aa4286face63bc40def41aebd7b8c920ad2948357

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\MBR.exe.config

Filesize
161B

MD5
c16b0746faa39818049fe38709a82c62

SHA1
3fa322fe6ed724b1bc4fd52795428a36b7b8c131

SHA256
d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad

SHA512
cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\SystemBlocker_Interface.exe

Filesize
15KB

MD5
076a44a9243d96ee076d2aba78fc3131

SHA1
1026e1ba3615d6a5a51e02918da2724409835631

SHA256
77231a229da0b98fb709c6c8c40dd916d7f29abb3279e1b6834c8319e059c88f

SHA512
4f9251b70bf024e13b2a1420a96736cef970b67685a47d3da4d0cb308b15651ee578076824afc79a6437d44e43597aceaa39799e805b119eb7470783124ed5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\SystemBlocker_Interface.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\Windows_Mania_WannaCry_Removal.exe

Filesize
381KB

MD5
690fe7edb2e1814ab9ac0f72d71cfef1

SHA1
2ce66689bc79ad64033b611e607e7679be6a1231

SHA256
a01d3c8333bbf5e19b1b8ec5729599d7e876c2683042213e538566f282f088e7

SHA512
796501da715155e29df0168e42b2ce7dba41b8e5631417004bcdb9c2c6e0cffd18b0aa050047cd3d60ddb77c4a3e39baacfd8dc09568eb5e01052b0c1ed465b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2E.tmp\voice.vbs

Filesize
406B

MD5
3d8f5bc566c6517b691e8e04da9c085e

SHA1
db45e77dc279c9b97d4d23ccaa04578d84804436

SHA256
1064953cbfa62eea51c3e05f1679de7106f01b37347a420f54a91d8f9605e50f

SHA512
273600126b69370a380baee43be60db384a13d050110e7d2766187b3ad55722083301b9bcee61ac4180ebd0b44470045f7eb9ed61173b7891132478010949f20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.sysblock

Filesize
3KB

MD5
5c43b899b1e60b89a2bed46729ec9c9f

SHA1
921a5a01741ae29d1bb931f4f71ae05f1cdd2b27

SHA256
3c29b7939ab539be5e04db19109048419e597a411e355d2e198196e86fc716a7

SHA512
570674e0ae4c65f7d26e7c3256df9c3704fab03f4fe600a8f85f46bf0fd62caa534cb67489e306812531bf7b25544ba708085ff1e127436761fe8927dfc8f2e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk.sysblock

Filesize
2KB

MD5
b043247c9cb5fedb1d5d000395774434

SHA1
23e46c28a93dcfd06f745f20756251d0a2717a1d

SHA256
d167d68845e94179c177d1a5f63ae49629ec490f70c01696ed5782589e03df00

SHA512
1baf54a8f0dd6e3c7b12d50a006b21698c8f6dc1e454fa8277a4076e081cc983d665f6cf65544a11811434b1826a6281a8f64368fd3ec3ed78a6e8d68b81524f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.sysblock

Filesize
1KB

MD5
be2ccc899e054c58e30b31f6e15970d6

SHA1
c3e3ba62024c2c3753a243a37d3601be033f7af8

SHA256
adb4131928364adadf6a634d2d2f17bf0b10d06cd22610cd5020a0bd2872a413

SHA512
879d79385b256efe1e0b87238ff82fee46f8cbfaccff3868cc3ed27dacf8b69acee491fc3c045d742e64c1fc55ad1980aceb93dba96350face6a4e7453fa58e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.sysblock

Filesize
2KB

MD5
78328c825cd865752430d2b5f9f94103

SHA1
7df2b3d14439b7ed5288689c0cb789ccaf14cbb8

SHA256
9d36aed3a98b61bcf47abd83641766f34d283be1a7bdaf61009c4a6e33feebe8

SHA512
6696f49fd5268ac69b0e9891ab44e1a4e04b3fa811f17cb09628ab47791cbc9b050957187150fc297d8f158bbcb6e8b9cbe00461fe75a2484b4ebea9d9947324

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.url

Filesize
160B

MD5
6247d2951d2b3689ed6f89f0a399ec91

SHA1
5db476db972492ab2b5ef617df6108c42fff7b47

SHA256
a3e9563dbfe59a3fcdfd6694152b26bfdfb2420d9ecc71ce9312023578f578fb

SHA512
47b0ee3809da37e714cef7231966b30d8d9279312fbbd2716e76ddfee07e09e9798cc8bb23bdaa05675d9d6263dac555426fd1ba4de572bd6c19c406c3d2b370

Download Submit
C:\Users\Admin\Desktop\BackupMove.avi.sysblock

Filesize
927KB

MD5
76958b6cb5d2d8ab28dd32568474de59

SHA1
a769c1c6543620c4f703607f002976263af97de3

SHA256
82d75b05ab21594c01c2781c5dd497885e73c8b1b0f7ea456af8208e6b71ef98

SHA512
51627546e307204f493a5b449710c5d896e5e398def43ab39d3feb02713a02065c1facc86af789f4fbf2272d49adfc15a811ae59395a8c5ba528b80287ae974f

Download Submit
C:\Users\Admin\Desktop\CompareJoin.xml.sysblock

Filesize
1.0MB

MD5
b2f89ff980d9d6cbc5de37c63d58e327

SHA1
ebb9403ec039aabb628fc3da73610dc4635f34ea

SHA256
c7fc8574a2c63e735a7c18f93acc7f6130782b339c083f3f281d8e064da6eb58

SHA512
45297ed50094f4a191c14f1c65fb533fafc926d9960e069a49c6a8dbbc810b66f8fa215b0f9b6fec41981fd7a84985a782cdddd83fa7b18abcbe89f14e64074a

Download Submit
C:\Users\Admin\Desktop\ConfirmWrite.ppt.sysblock

Filesize
446KB

MD5
1c926c23a34d287a68d07e05d4948c87

SHA1
8dd4b6fa9fc1b34ff80ed3a389d3627d7ebeaeba

SHA256
845b2d513d2e8683c955f7e308b20d3a6e612eb594f49bfcbedbd7e9587f7637

SHA512
c71689032b59764c7d55230b4287a52d428b1db0d4494ba2d1df8fb8145feb8a6a94e29896d448ff27e72f4962390e49c536d9a21a0982a51bc4b94c5609118f

Download Submit
C:\Users\Admin\Desktop\EnterAssert.asp.sysblock

Filesize
1.7MB

MD5
d4500973bed6601ab224237b370d1d0a

SHA1
f28b0f0cb36359525f1dd2117eccf6c71cd085e2

SHA256
68355449546e1b57930569af85149cfab578693d8860523aa42d4067f11524e8

SHA512
7fbddd0f97fbbe56acc1a47fb61ad3af7ab07b0c24ba8b7eb3418ddb059055513d41dd854d035fbbdfb44cb90a42f75ca4a1e9069268c86c62966ce1f6c34a03

Download Submit
C:\Users\Admin\Desktop\FormatGet.xsl.sysblock

Filesize
1.1MB

MD5
389a90e4659e0eecf16cd085d655b092

SHA1
8947e29a89b74a5600f77c0ae1ddb38552f2f3c3

SHA256
1a36dc0c628665d72c7563ae6a4c8d6d1885bc4c08d409837b0d4b8577bf36bd

SHA512
37fdd66bcbdabfda24ab985e2146a2e3c9c3e8207873b8da9006ce8e06db23b8bb2833a308977546c01fc781547aac39a258ef16fcb532d8d62035acf42205c9

Download Submit
C:\Users\Admin\Desktop\JoinMerge.xls.sysblock

Filesize
583KB

MD5
298317c7ede16b9f1d5c77b9bf7538d3

SHA1
9108a5cd9a225ff50421e9ee985bbf14c38f7c85

SHA256
2074d0ddca723bea4ca0f9b2783748ac290577050d25fac964df3e5e83d45bdc

SHA512
730e52c51436ccd09809cae1273ae1c19efae43e5138d52c0b6a20bab90ac6d5b95f94897611e924c5a77d02564d26645dc36afdc43c840a438162e06dc33855

Download Submit
C:\Users\Admin\Desktop\MoveSync.jpe.sysblock

Filesize
1.1MB

MD5
c7181a42259e44d85fc810fcc0579b36

SHA1
a40493888d162c6bd723972eb202289c6e382d90

SHA256
77ab5ad9ee3a165367874b1a7843074c313aed2e35769482e8fdc41c1e5ca6d0

SHA512
f02628c3fd6486f97a3cec684b8c09df2ae4a28c7187f6bb4b5a46203afdd8873764951e138355b7ff1d876e62c61e0f597786dd5443a0e67deb7b59d2a4d5a3

Download Submit
C:\Users\Admin\Desktop\NewSearch.potx.sysblock

Filesize
480KB

MD5
30ca7bc3c054ef96dd5fe2e8a8a90437

SHA1
e870a6ab83e0bdf0f43b858d6ef98343fc09e568

SHA256
5cbd57b3cf2de77c7f60cc297fad9e9f4857c3e04410413bb08083b3969e0049

SHA512
672db34c85d27c95b57b616b4a6a642470f57426e54df93ddf86143ff0b605771cb8cb3178899c8707ac954a181c9a244cc68f24a78f9624c2053b41705baa66

Download Submit
C:\Users\Admin\Desktop\OpenExit.mp4.sysblock

Filesize
1.2MB

MD5
1246143e25053d920cc28580cc7f4eae

SHA1
463bdb99f807d08b862a230849cbe3c1e45bcebf

SHA256
cf1823edeab16eb622f1e96a2536dff1ec06ee5b469a2b58422481c98f3da2fd

SHA512
88a43ba7a3c6edf6c5b725a6498179909fccb83900779442b02e0a493168bab2c3fd05f48bf4fd1ab0b09027965f203f76af5d60854d3590e367b54d9f588a79

Download Submit
C:\Users\Admin\Desktop\PublishCompress.mht.sysblock

Filesize
652KB

MD5
f9381b3b245af7eb6e2670567f062a88

SHA1
6f7f0259be07c7461a617363a1fd57a12954129e

SHA256
2e4d1806e035b644d2e5300b065c3e9b47a308bc0fc85dfd4cbeb9016cdd5a94

SHA512
8c5081a41287a897c567ac3a88887dd8236d319f9ebb7aa8eb15b310cf0a9b2e3a072ffd3ff78b77bab6c77e79674a9e43931117149bb36e35829f6ff651bc44

Download Submit
C:\Users\Admin\Desktop\SearchWait.lnk.sysblock

Filesize
618KB

MD5
cce5af8b924376ec6e13861820877d7c

SHA1
ec78685c85f81182f3110d74774ddaa6a5223c88

SHA256
297b7b9e8ca8dd40da7ea30796c1be85ca45f3da0d1d218ec64c4f888e39a824

SHA512
d92b8f7d316b6aa20a321a655c023cb6cff4b09c865eaa3a62934d942f131db30f79644e9c278468ef1957f79bd1415ee9c4f615fe81b669ee2e520b60a923d9

Download Submit
C:\Users\Admin\Desktop\SkipSearch.avi.sysblock

Filesize
961KB

MD5
b02bbd61ee9cdeebd20a583d4a1a4c19

SHA1
df3e2624044e34cfeeefe72d41ac148ce8326457

SHA256
23d8416be3cc944f1a886536708846d1f5adb8af4ef6d490c23b31c92cd96e2f

SHA512
36afab64875788a727ab149d46ac1e53425e2e1267188dfcc2425624cdc1c79e79709dbdd85565e456e2e2f15a515efb093462de437322a009a267ed187a0aac

Download Submit
C:\Users\Admin\Desktop\TraceWatch.dib.sysblock

Filesize
858KB

MD5
ba610f1b33319b6f3e8955686efcf5f1

SHA1
58523fc5418cbd6d7a37e2d3d577abf4aef688cd

SHA256
bcc2fbec51457282cccdeeb390f29e15433d329c63f1c19c16348b436d93e21e

SHA512
868badcede9e4555e753f655f6164a2924986b4923e5ee0aa757696b8abcacc1d5aec0ff6646f96c0522753ca6fb82c0318e681c05213719ad6108a17be4977b

Download Submit
C:\Users\Admin\Desktop\UnprotectCompare.mov.sysblock

Filesize
789KB

MD5
5daab1d5391c8cb09f3ee92d5061edec

SHA1
e14df18d5a7a09b40f9d9e0896302b848a879459

SHA256
f9b23b83fb797d09548c92d9b42516d9ebaf345543705943bc92963151034dcc

SHA512
89989216061aa28ec7462369172c9838b8ee0e7aea3daa03c5f791d9401d568f85d4f0a3a14f3e6685b50ec9609b6612bdb9c85a1cebab7e24128218ae63285f

Download Submit
C:\Users\Admin\Desktop\desktop.ini.sysblock

Filesize
584B

MD5
4907420851b5453b19e3865a7b1df6ba

SHA1
c9a9978effda7d8194da28d5a41b42fbb4290cab

SHA256
355221dd4a6515619ed80d0fb12045841205dfd812e2c136a387f1c848d462f0

SHA512
5e7e6eaf07999f52aea83f12a5765e722d0303caa00abb243529091a8f8fa5ddddd4bb7dafd9b602cf7dc40782a4161e055a87a1b7943d28b37691b1ab9e435c

Download Submit
C:\Users\Admin\Documents\README.txt

Filesize
538B

MD5
96afef89fb98d6369d2aa9f93332acc3

SHA1
2365caa97ced4c3d452c7df5249c6e3090e47d7b

SHA256
1eaf097f068fb23de560e69655abaec0a5c42a233dd2f59b3ec337c011a03b30

SHA512
1bafb3094fbb2c6bb1f541e6ed7a975833335aeba17b9c875c7499050b39dc1ed2bb9e565ad44537774d7a1211b92ab7689b9385943474301859534f1429a2fd

Download Submit
memory/2184-0-0x0000000140000000-0x0000000140083000-memory.dmp

Filesize
524KB

Download
memory/2184-29-0x0000000140000000-0x0000000140083000-memory.dmp

Filesize
524KB

Download
memory/2552-27-0x0000000001160000-0x00000000011C4000-memory.dmp

Filesize
400KB

Download
memory/3000-44-0x0000000000E30000-0x0000000000E94000-memory.dmp

Filesize
400KB

Download