Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe
Resource
win10v2004-20240426-en
General
-
Target
8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe
-
Size
347KB
-
MD5
8f402d93d54d9e6dfa608e74f2b108c1
-
SHA1
236ef8c57c8567bdd723acbeb645ac9cbfbe0880
-
SHA256
8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04
-
SHA512
65184154587bcf48411bbc1f279a1a5b40cbcbd8403d17e792f3f525e1cb9ce685741659584cdc8d2258ed29f7c2521085e8c796bd219050af754a0ac6351041
-
SSDEEP
6144:xPtDXH/S/IQUjXeQvBAOMJmwFT//4OQ334gx6AdFCxPor:h5Xy6XekBkFTH4xYgFwxPO
Malware Config
Extracted
\Device\HarddiskVolume1\FILE RECOVERY.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (3268) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\X: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\H: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\N: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\U: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\P: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\Z: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\G: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\I: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\J: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\R: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\S: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\T: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\Y: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\B: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\K: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\Q: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\L: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\M: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\O: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\W: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\D: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\E: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened (read-only) \??\A: 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NewNotePlaceholder-dark.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24_altform-unplated.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-150.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-100.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\platform_format.lua 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\ui-strings.js 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-125.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-200.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Content.DATA 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\management\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-150.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\ui-strings.js 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File created C:\Program Files (x86)\Windows Multimedia Platform\FILE RECOVERY.txt 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3708 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1060 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe Token: SeDebugPrivilege 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe Token: SeBackupPrivilege 4092 vssvc.exe Token: SeRestorePrivilege 4092 vssvc.exe Token: SeAuditPrivilege 4092 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5028 wrote to memory of 1060 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 84 PID 5028 wrote to memory of 1060 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 84 PID 5028 wrote to memory of 1416 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 85 PID 5028 wrote to memory of 1416 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 85 PID 5028 wrote to memory of 1416 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 85 PID 5028 wrote to memory of 1604 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 86 PID 5028 wrote to memory of 1604 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 86 PID 5028 wrote to memory of 1604 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 86 PID 5028 wrote to memory of 3716 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 89 PID 5028 wrote to memory of 3716 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 89 PID 5028 wrote to memory of 3716 5028 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe 89 PID 1604 wrote to memory of 3708 1604 cmd.exe 94 PID 1604 wrote to memory of 3708 1604 cmd.exe 94 PID 1604 wrote to memory of 3708 1604 cmd.exe 94 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe"C:\Users\Admin\AppData\Local\Temp\8ee70de7af7f22f072f09c7e1a780c9c915cf697d4a241cfbec1b0c00fa51c04.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5028 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:1416
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵
- Launches sc.exe
PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵PID:3716
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
Network
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Impair Defenses
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c881da4c92c394fc2f3e3485968f888a
SHA18f98c90d05f570d425a7eda3915450d5619f0d8c
SHA2563c77722d6c35bc85369ec26172f92b1bde5f483a692607c73815ffcbb82fae11
SHA5124bf055198eae0c654db09562585bb8a50bdcf7393e60002e10bdc8e54ebc8b6b7f5b02804de4420640d46650b9930d6eb54deee6c8b61d1784ae14b7d152c505