targetcompany | 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransom.exe
Size

376KB
MD5

120c6ddfc24274b6e2e3a1ba7dc519ab
SHA1

29936b1aa952a89905bf0f7b7053515fd72d8c5c
SHA256

2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
SHA512

dd9b2fb6cd5f6f044daa80ef634078849032ebbdbd1d293bb7bcb0270aa8b7360c39addb0826c7a3ddc8714b559bf8828e8e506ac91bcb4702a72f4c8ec4850a
SSDEEP

6144:KFtgKBIxGS/bbWGGJK8PpzR1WpOJOQMeEBwhUg5bBDNPbsP/qrscpyj4CVKSkn:+tgKIxfbbezR1WpOJJMjihU030/qRMra

Score

10^/10

targetcompany defense_evasion execution impact ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Ransom Note

Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: A748373403191A7B8D3B49EC 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion �

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6505) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Ransom.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Ransom.exe
File opened (read-only)	\??\V:	Ransom.exe
File opened (read-only)	\??\E:	Ransom.exe
File opened (read-only)	\??\A:	Ransom.exe
File opened (read-only)	\??\L:	Ransom.exe
File opened (read-only)	\??\M:	Ransom.exe
File opened (read-only)	\??\G:	Ransom.exe
File opened (read-only)	\??\I:	Ransom.exe
File opened (read-only)	\??\Y:	Ransom.exe
File opened (read-only)	\??\S:	Ransom.exe
File opened (read-only)	\??\Z:	Ransom.exe
File opened (read-only)	\??\B:	Ransom.exe
File opened (read-only)	\??\H:	Ransom.exe
File opened (read-only)	\??\J:	Ransom.exe
File opened (read-only)	\??\N:	Ransom.exe
File opened (read-only)	\??\R:	Ransom.exe
File opened (read-only)	\??\T:	Ransom.exe
File opened (read-only)	\??\U:	Ransom.exe
File opened (read-only)	\??\W:	Ransom.exe
File opened (read-only)	\??\D:	Ransom.exe
File opened (read-only)	\??\K:	Ransom.exe
File opened (read-only)	\??\O:	Ransom.exe
File opened (read-only)	\??\Q:	Ransom.exe
File opened (read-only)	\??\X:	Ransom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\ui-strings.js	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-200.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg	Ransom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppList.scale-100.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-unplated.png	Ransom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	Ransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-150.png	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest	Ransom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\HOW TO BACK FILES.txt	Ransom.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt	Ransom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\HOW TO BACK FILES.txt	Ransom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-100.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-200.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC	Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lo.pak.DATA	Ransom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\HOW TO BACK FILES.txt	Ransom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js	Ransom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-200.png	Ransom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\HOW TO BACK FILES.txt	Ransom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	Ransom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\3DViewerProductDescription-universal.xml	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	Ransom.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEX	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64.png	Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20.png	Ransom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW TO BACK FILES.txt	Ransom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\HOW TO BACK FILES.txt	Ransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\HOW TO BACK FILES.txt	Ransom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4452	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
512	Ransom.exe
512	Ransom.exe
512	Ransom.exe
512	Ransom.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeDebugPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe
Token: SeTakeOwnershipPrivilege	512	Ransom.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 2472	512	Ransom.exe	85
PID 512 wrote to memory of 2472	512	Ransom.exe	85
PID 512 wrote to memory of 2472	512	Ransom.exe	85
PID 512 wrote to memory of 1748	512	Ransom.exe	87
PID 512 wrote to memory of 1748	512	Ransom.exe	87
PID 512 wrote to memory of 1748	512	Ransom.exe	87
PID 512 wrote to memory of 4452	512	Ransom.exe	89
PID 512 wrote to memory of 4452	512	Ransom.exe	89

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	Ransom.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Ransom.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  PID:1748
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.35ca3df1.pri

Filesize
80KB

MD5
d963e5c98a2639ecdaadb15af9ae71f7

SHA1
162b2d851c806703a8ff5376d8f0dfa3f1876ea2

SHA256
a87c42adde78d34bbdba5bd0680949b6748f325182179030fe72e6e4ea013a7a

SHA512
48564e13d706f63f2a779bf4d1aeda761a30e6604ecbfb6f8f8a6eff7cd619fed11075ae6cc1e502ec1d8a293f1fdf0b8425613329d088d08fe0ecc5dfba442b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO42234Z\FCNQQO2R.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Filesize
910B

MD5
7285736657141a22e1be6de7640f25c2

SHA1
98e5362b1bdb88291538c16fcd2df48be1152515

SHA256
ab126ee9eda8cf23caf6f503275f96742c29e0c184e6dfd13cc18a08535d7768

SHA512
6b237585c9b4bc2ed38d86caac2374aeb386e39db4a1c2d2a8fc5199a20f2536558ced754d4f7dd03c394fd30aa5827382e51150ead2cabb85a0d00afaa7058f

Download Submit