cerber | db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

Analysis

max time kernel
127s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_270b70bad151a515136f553e5bc880ac.exe
Size

344KB
MD5

270b70bad151a515136f553e5bc880ac
SHA1

77b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256

db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512

c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
SSDEEP

3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D | | 2. http://cerberhhyed5frqa.45tori.win/DD08-8190-71F2-0073-1E7D | | 3. http://cerberhhyed5frqa.fkr84i.win/DD08-8190-71F2-0073-1E7D | | 4. http://cerberhhyed5frqa.fkri48.win/DD08-8190-71F2-0073-1E7D | | 5. http://cerberhhyed5frqa.djre89.win/DD08-8190-71F2-0073-1E7D |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/DD08-8190-71F2-0073-1E7D | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D

http://cerberhhyed5frqa.45tori.win/DD08-8190-71F2-0073-1E7D

http://cerberhhyed5frqa.fkr84i.win/DD08-8190-71F2-0073-1E7D

http://cerberhhyed5frqa.fkri48.win/DD08-8190-71F2-0073-1E7D

http://cerberhhyed5frqa.djre89.win/DD08-8190-71F2-0073-1E7D

http://cerberhhyed5frqa.onion/DD08-8190-71F2-0073-1E7D

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.45tori.win/DD08-8190-71F2-0073-1E7D</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.fkr84i.win/DD08-8190-71F2-0073-1E7D</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.fkri48.win/DD08-8190-71F2-0073-1E7D</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.djre89.win/DD08-8190-71F2-0073-1E7D</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D" target="_blank">http://cerberhhyed5frqa.vmfu48.win/DD08-8190-71F2-0073-1E7D</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/DD08-8190-71F2-0073-1E7D in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1956	bcdedit.exe
2032	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	sdchange.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk	VirusShare_270b70bad151a515136f553e5bc880ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk	sdchange.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	sdchange.exe

Loads dropped DLL 3 IoCs

pid	Process
1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1996	sdchange.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	sdchange.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	sdchange.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdchange.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1BBB.bmp"	sdchange.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2732	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2264	taskkill.exe
692	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	sdchange.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\sdchange.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	sdchange.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000007ab0648f6e3929d736a40ea155b5758504ff0f206429a4f99037849a681f2a88000000000e80000000020000200000006a939b7e8ca2134e9ad472beab8e7c14eb56dccc8b04a9b80020958a862687e820000000c18d86b43a5c5c9087779a1533c064a927399ac386d5963ba2c431220b96db27400000007c20b45f00061c37cc6352b05ff5f0525c9493ef6a3bc01e542fe82dd8f4613a7f9694cf7cb1d604205c20f167db8ec112021aa1d50066d71125c9d21d48f6a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000000e868e2be542431793f191523607e468f2539a19d99f70c7f3dd377106f53362000000000e80000000020000200000005a1f775f4871fa6cbe22da371b36939bce41da2766f21da9cfa96dff6de4eb9e90000000366e2b47d1779ec18ac58bf71557c1f5a8f78bbe8082314db665ae3500caf79d6500ae239f7c73f02d35f6d5e1fb90ce1fe9a3c208f8c002495015d9ba91b0f968ae9d397834b8fb94124ffd3335785f575cf9a090b78b3135a02597d8e6228a8996de2d7fecfc2daea8413ab379665cfaf93be524df060c6212347e4a357c846614c77acd10a2e468a493c95f04c33b4000000037d999fed14cd93f9d58133d22e5f3fd64e7ea12d286ca9d6ec5e4c7bc92a9f243596a82d3b6658e0b7b15c5ae6c895f7be59729bb3193ef7e4825de33a02778	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C6A4A531-20E4-11EF-BADF-D62CE60191A1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423497110"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101f6f89f1b4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C693FB91-20E4-11EF-BADF-D62CE60191A1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2520	PING.EXE
2004	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe
1996	sdchange.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Token: SeDebugPrivilege	1996	sdchange.exe
Token: SeBackupPrivilege	2256	vssvc.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeRestorePrivilege	2256	vssvc.exe
Token: SeAuditPrivilege	2256	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2824	wmic.exe
Token: SeSecurityPrivilege	2824	wmic.exe
Token: SeTakeOwnershipPrivilege	2824	wmic.exe
Token: SeLoadDriverPrivilege	2824	wmic.exe
Token: SeSystemProfilePrivilege	2824	wmic.exe
Token: SeSystemtimePrivilege	2824	wmic.exe
Token: SeProfSingleProcessPrivilege	2824	wmic.exe
Token: SeIncBasePriorityPrivilege	2824	wmic.exe
Token: SeCreatePagefilePrivilege	2824	wmic.exe
Token: SeBackupPrivilege	2824	wmic.exe
Token: SeRestorePrivilege	2824	wmic.exe
Token: SeShutdownPrivilege	2824	wmic.exe
Token: SeDebugPrivilege	2824	wmic.exe
Token: SeSystemEnvironmentPrivilege	2824	wmic.exe
Token: SeRemoteShutdownPrivilege	2824	wmic.exe
Token: SeUndockPrivilege	2824	wmic.exe
Token: SeManageVolumePrivilege	2824	wmic.exe
Token: 33	2824	wmic.exe
Token: 34	2824	wmic.exe
Token: 35	2824	wmic.exe
Token: SeIncreaseQuotaPrivilege	2824	wmic.exe
Token: SeSecurityPrivilege	2824	wmic.exe
Token: SeTakeOwnershipPrivilege	2824	wmic.exe
Token: SeLoadDriverPrivilege	2824	wmic.exe
Token: SeSystemProfilePrivilege	2824	wmic.exe
Token: SeSystemtimePrivilege	2824	wmic.exe
Token: SeProfSingleProcessPrivilege	2824	wmic.exe
Token: SeIncBasePriorityPrivilege	2824	wmic.exe
Token: SeCreatePagefilePrivilege	2824	wmic.exe
Token: SeBackupPrivilege	2824	wmic.exe
Token: SeRestorePrivilege	2824	wmic.exe
Token: SeShutdownPrivilege	2824	wmic.exe
Token: SeDebugPrivilege	2824	wmic.exe
Token: SeSystemEnvironmentPrivilege	2824	wmic.exe
Token: SeRemoteShutdownPrivilege	2824	wmic.exe
Token: SeUndockPrivilege	2824	wmic.exe
Token: SeManageVolumePrivilege	2824	wmic.exe
Token: 33	2824	wmic.exe
Token: 34	2824	wmic.exe
Token: 35	2824	wmic.exe
Token: SeDebugPrivilege	692	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1312	iexplore.exe
1352	iexplore.exe
1312	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1312	iexplore.exe
1312	iexplore.exe
1312	iexplore.exe
1312	iexplore.exe
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE
1352	iexplore.exe
1352	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe
1996	sdchange.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1996	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1284 wrote to memory of 1996	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1284 wrote to memory of 1996	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1284 wrote to memory of 1996	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	28
PID 1284 wrote to memory of 2924	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1284 wrote to memory of 2924	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1284 wrote to memory of 2924	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1284 wrote to memory of 2924	1284	VirusShare_270b70bad151a515136f553e5bc880ac.exe	29
PID 1996 wrote to memory of 2732	1996	sdchange.exe	30
PID 1996 wrote to memory of 2732	1996	sdchange.exe	30
PID 1996 wrote to memory of 2732	1996	sdchange.exe	30
PID 1996 wrote to memory of 2732	1996	sdchange.exe	30
PID 2924 wrote to memory of 2264	2924	cmd.exe	33
PID 2924 wrote to memory of 2264	2924	cmd.exe	33
PID 2924 wrote to memory of 2264	2924	cmd.exe	33
PID 2924 wrote to memory of 2264	2924	cmd.exe	33
PID 2924 wrote to memory of 2520	2924	cmd.exe	37
PID 2924 wrote to memory of 2520	2924	cmd.exe	37
PID 2924 wrote to memory of 2520	2924	cmd.exe	37
PID 2924 wrote to memory of 2520	2924	cmd.exe	37
PID 1996 wrote to memory of 2824	1996	sdchange.exe	38
PID 1996 wrote to memory of 2824	1996	sdchange.exe	38
PID 1996 wrote to memory of 2824	1996	sdchange.exe	38
PID 1996 wrote to memory of 2824	1996	sdchange.exe	38
PID 1996 wrote to memory of 1956	1996	sdchange.exe	40
PID 1996 wrote to memory of 1956	1996	sdchange.exe	40
PID 1996 wrote to memory of 1956	1996	sdchange.exe	40
PID 1996 wrote to memory of 1956	1996	sdchange.exe	40
PID 1996 wrote to memory of 2032	1996	sdchange.exe	42
PID 1996 wrote to memory of 2032	1996	sdchange.exe	42
PID 1996 wrote to memory of 2032	1996	sdchange.exe	42
PID 1996 wrote to memory of 2032	1996	sdchange.exe	42
PID 1996 wrote to memory of 1312	1996	sdchange.exe	47
PID 1996 wrote to memory of 1312	1996	sdchange.exe	47
PID 1996 wrote to memory of 1312	1996	sdchange.exe	47
PID 1996 wrote to memory of 1312	1996	sdchange.exe	47
PID 1996 wrote to memory of 2364	1996	sdchange.exe	48
PID 1996 wrote to memory of 2364	1996	sdchange.exe	48
PID 1996 wrote to memory of 2364	1996	sdchange.exe	48
PID 1996 wrote to memory of 2364	1996	sdchange.exe	48
PID 1312 wrote to memory of 3068	1312	iexplore.exe	50
PID 1312 wrote to memory of 3068	1312	iexplore.exe	50
PID 1312 wrote to memory of 3068	1312	iexplore.exe	50
PID 1312 wrote to memory of 3068	1312	iexplore.exe	50
PID 1352 wrote to memory of 2948	1352	iexplore.exe	51
PID 1352 wrote to memory of 2948	1352	iexplore.exe	51
PID 1352 wrote to memory of 2948	1352	iexplore.exe	51
PID 1352 wrote to memory of 2948	1352	iexplore.exe	51
PID 1312 wrote to memory of 3040	1312	iexplore.exe	52
PID 1312 wrote to memory of 3040	1312	iexplore.exe	52
PID 1312 wrote to memory of 3040	1312	iexplore.exe	52
PID 1312 wrote to memory of 3040	1312	iexplore.exe	52
PID 1996 wrote to memory of 2840	1996	sdchange.exe	53
PID 1996 wrote to memory of 2840	1996	sdchange.exe	53
PID 1996 wrote to memory of 2840	1996	sdchange.exe	53
PID 1996 wrote to memory of 2840	1996	sdchange.exe	53
PID 1996 wrote to memory of 2376	1996	sdchange.exe	56
PID 1996 wrote to memory of 2376	1996	sdchange.exe	56
PID 1996 wrote to memory of 2376	1996	sdchange.exe	56
PID 1996 wrote to memory of 2376	1996	sdchange.exe	56
PID 2376 wrote to memory of 692	2376	cmd.exe	58
PID 2376 wrote to memory of 692	2376	cmd.exe	58
PID 2376 wrote to memory of 692	2376	cmd.exe	58
PID 2376 wrote to memory of 2004	2376	cmd.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\sdchange.exe
  "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\sdchange.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2732
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1956
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3068
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:537601 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3040
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "sdchange.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\sdchange.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "sdchange.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2004
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
149df1fdca094242cf0974f8b4dce58b

SHA1
d4cd18b8a58880ceba5324fb87ac9178588e13df

SHA256
c1b7a6250765ee31feef8ee83c8587c9b597bef217a77565b776d6267658ef05

SHA512
a6fb3b0d6d9ac727d16298bab7bf85af3e914b505112551d6d0aad939636995cc6714cd9832ebdd86c97d189a702157746a8c6bfa8c063033c5445e5fa28f4d0

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
33d9e26b9211cac9e01bd37cb315e0c4

SHA1
ec3b7ec4434ada7a61c269f42355f5c284c4ebd9

SHA256
431eef1ed1b7737a521090f175b8ad0586d871a8e8183fc16a1066bbb0e6fc1c

SHA512
1248469586f138b4587b94ef453d64cf109380ced2ecd2961947961b18ebf6d7990808faf226b1f476a4d82ce8248fec0414528c9b11a33bc0de163f57b32926

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.url

Filesize
85B

MD5
dbd896aed2c37b57ef5729810b2f1c71

SHA1
b219cdbad6566aaee4e046000a8add658098b910

SHA256
04a1f3445a3e0b1e3a00164fd5db5fa63e0b93a41ad386f0cfa417378893a328

SHA512
f9ff86155f35c67f6ef7f7ca8fef8a897b5bb2c74fe94fc0401764e083c94146ed404a6df4de7c8d6d1d11240635081bb8db1e2945a5f033da4cccd0d74ebe67

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1b5066c1c5f2e24bdd172d455981440

SHA1
b5f464963cbacea6607d7dca0c76f5828ae8e124

SHA256
4b21579a4de76d9dfd86789f1040642153a829cd7628a6c0de402f0a7d476ffc

SHA512
e850f1aeeee29ceeb0c0c27d5ed4039941d034e45d639b9fb863cce8efa8e65d2f09c3a0c489891992d6803ebfe3992b91d096e5169c90e593e8c78dc6f933a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f80d0dda99c1c92bed9ec4f29050404

SHA1
9e6db6e08f17d5b34ba0f8554334b9044b13752c

SHA256
4ae60f22b35ec101fe0cf26354b64f17ecd385bb37b773e2c67c5894efda2459

SHA512
1722207a9cbbd5ec56a150a3f0c23cf8c2f5a9d37963b4d1290992243539ab04687d7c1039e2891da1c836bed4e13ec833e121bdb045e0913c57674d21181bb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5d0d8892c41a8b503f05fd14b361c16

SHA1
83229a17bd8466c5c56de1c0f8b7b816bed38128

SHA256
6812e476de3c793baa6c9861a0f9900e2172aedfaf47080fcf1180e6b70650f6

SHA512
dc1be78b5312d9d59fdeb3fd6026c211fec2a37c22ac44a2b3c1e4b0c716cf291a71927b2eb653dce30906846fe3e92b8926dede725bb7fd353977f52e976f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7177c7d54beffb7cb317d297953344f2

SHA1
468ed592a73636fde1eec2019f7cb5031116bfeb

SHA256
ade4706357d2a2a573efc003e654ee538f98de363f24c0835c511121c0fa5ba0

SHA512
387801d467962e2238078c2c07465046c850643fc54cce75ee095bd2f9d7f5f28b6bebbc60d0d1013cd54923c3786f0959034a84e1cfc868ff74d2476bd7e08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e4dc8684c76daf570cc4507cc81d8b7

SHA1
7adeafb809b318a13b2596e3f97a893cb879514f

SHA256
0e6bd8f83f503c270d894c621191e679c2f71378452830319d237ae2c3384620

SHA512
4716d81fd675510cc8c2e4aac0554236a85b10d20be21ae6ce12ebb97cbde131e1f97549902ffe4ee3bee4bde285e4c2feebc26e0dea9d8a8c8b2990abbb1942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f386b5b28f4e22d67ac63bb771be1de7

SHA1
921062cb3e5519bc82d197073c73dfbf8dd44900

SHA256
2a4ce1a2d0e114f2f1c1a77989ae35f3320bf0354194ddb8e10e1e8b634dd04d

SHA512
ec4721358d9440701c6b8ebc49fc17b931482e35750d1975c39dddac28cc24fa41bc7c6bfcab1f2691067dd93b8028c92fb0f06f7e5a40439788b6f70f4fc3d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4deb6ed2be2e60f2795260ad7faf2c75

SHA1
3358b113dba95f07a891a9279038c3d3fa6470c7

SHA256
3a51c3b299b3946a257e32188409ee2205d06f344e87be87ad8f4cdbf6834012

SHA512
ed89be106360416d2a34f99198ebc94a4e6f049e98fc78135eb84fa9ba29c2987e83539a5d1b613996e372dfa2c71dbf1922e521efb0f8c888a4d1ffb2e43394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0971335fa4d2ec5dc39c7c9f867da483

SHA1
186eee0ea07a24498bf0a146fbdc2e57b462c588

SHA256
9b9b44f5806f02228013d3c55b48b4209b018f715bfd6b944d3926adbfbba544

SHA512
ee07dbbf1faedf258d144264bbb49a5a18291282cdb07d440541b795936070d64943a0e673d6a69a51de590f450a6c9cd75e850d01fc15badcb9d820d204c183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69d1625472a2899cf4f9cbcde409f3aa

SHA1
0ac88f0df54442f7966a2caaf433aa15288bf71a

SHA256
7a4aa259893dd3f239c7dbc426f7c95608b41d57a0ae30461b822ecb3c66d8ca

SHA512
95c70b91ac5ab64d1b12f84b8977d58da5ab12de956afab7bb6a41c18a052560b6254ee917258b700fe3bd9f64d43fc03ef6d9dfb8fb7f0db1b955810e41b7e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76c921f22884884e73ef737ff69bc7c1

SHA1
733a12d00a35949f6bbd576c88272603993bf1bc

SHA256
3dfb04a84e6b310752dbc1d5990304d33ae43e8c5cd77830b9742470825de252

SHA512
76e605f69e8dba41047b10e9dc40586c96fe63b40a9449c1d6bcef1e9e090805151958568a08d17bed8a50d660d625702a85b3259343bbc6fc52953dbab4c33c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb5b76e6606255adbde3cf0d69a59134

SHA1
aa760c0775782ee6491dd10668cb02442a4bf7ff

SHA256
05bf40ef1147d417a20fee058cad625e813b07f68d3f07ff88535eb98292c798

SHA512
3eaf12dad46f807be615aa35ce82942518cb88aaf5e2bc2237f0771455f4f4ae1bed54af624d14f178e3fd988125ed65f9886aeea324988383b9ebd70736456b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e3d2bb04e4b72c316f662ebfc809d3c

SHA1
57550402bd80e814d08c5180b5f0d0746c5fa66b

SHA256
4ccd0ed3798850dd80d37744d845419c6b4ffcc086b300b6b99f7779fa34f573

SHA512
4e3a609ba55e2f27ab01619c8ba01f8fc48ff943ed22e2426d8ad9242c1eec19f7eb238f43efde6c14cde7e40fbbdc475c9b8e264cd8d5273e8d46d68138ea08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8c0b3cec72217f7de6d16571d3f3f7d

SHA1
1ae6dc8aab9fb77d2ef1947c023d9c5fc34d62c1

SHA256
ce6b529355e35b6963578991816a638e12c3e9f1b1a83c5e2f96ba46b3de462e

SHA512
241f7c4398a242e5696cc6b264fd3126b734d5d8237df1afcf6ec6baaba139b3ed4dd17117da37735dd89f0cce3806f2a1ddc27725e2485a76118e5197cd6f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C693FB91-20E4-11EF-BADF-D62CE60191A1}.dat

Filesize
5KB

MD5
d354db16bcbb9ed6a7789a7403f401e1

SHA1
6a31f2cb1daf2ff7426f1fdc8a5390812d7ceded

SHA256
5f498bfef8c46be2bb517996b07bb97e83463e4204993fab1d44fbb722be62d9

SHA512
8a47788b20f5192fe4a566e4e131bf04c3ecae86bf3b9640d9ffd327a39dfba02aefe8f7c61c2d1cbea88e69da9b190978cc9ce13e7ff1331e2f12387801c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34DE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk

Filesize
1KB

MD5
fde659380bb0065aef52c1327ab26a50

SHA1
d7e26b044aa2460f9f808aee4c85af9e3e215fad

SHA256
b335e7f209d20881b99cb66dae45c7ae16dcf4ed0d7d7e7755ab3984c0cfeee6

SHA512
daf32531986cd3682667e9cb89e47be1535bb89449cbdf3cc4eee27353b1420cf0c1dde1c04f7df0d9560a1288e3b32844fc1818093c48a752a6aa06cc5eb3c9

Download Submit
\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\sdchange.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
memory/1284-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1284-0-0x00000000000C0000-0x00000000000DE000-memory.dmp

Filesize
120KB

Download
memory/1996-485-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-490-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-476-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-474-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-472-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-470-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-468-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-466-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-503-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-514-0x0000000005120000-0x0000000005122000-memory.dmp

Filesize
8KB

Download
memory/1996-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-487-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-483-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-1003-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-492-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-22-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1996-494-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-496-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-498-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-500-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download