cerber | 27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

Analysis

max time kernel
128s
max time network
129s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Size

186KB
MD5

8ec363843a850f67ebad036bb4d18efd
SHA1

ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA256

27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512

800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
SSDEEP

3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B | | 2. http://cerberhhyed5frqa.qor499.top/DB98-3955-5586-029E-DA7B | | 3. http://cerberhhyed5frqa.gkfit9.win/DB98-3955-5586-029E-DA7B | | 4. http://cerberhhyed5frqa.305iot.win/DB98-3955-5586-029E-DA7B | | 5. http://cerberhhyed5frqa.dkrti5.win/DB98-3955-5586-029E-DA7B |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/DB98-3955-5586-029E-DA7B | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B

http://cerberhhyed5frqa.qor499.top/DB98-3955-5586-029E-DA7B

http://cerberhhyed5frqa.gkfit9.win/DB98-3955-5586-029E-DA7B

http://cerberhhyed5frqa.305iot.win/DB98-3955-5586-029E-DA7B

http://cerberhhyed5frqa.dkrti5.win/DB98-3955-5586-029E-DA7B

http://cerberhhyed5frqa.onion/DB98-3955-5586-029E-DA7B

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.qor499.top/DB98-3955-5586-029E-DA7B</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.gkfit9.win/DB98-3955-5586-029E-DA7B</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.305iot.win/DB98-3955-5586-029E-DA7B</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.dkrti5.win/DB98-3955-5586-029E-DA7B</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B" target="_blank">http://cerberhhyed5frqa.zmvirj.top/DB98-3955-5586-029E-DA7B</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/DB98-3955-5586-029E-DA7B in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	dccw.exe

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dccw.lnk	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dccw.lnk	dccw.exe

Executes dropped EXE 2 IoCs

pid	Process
1132	dccw.exe
2796	dccw.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1132	dccw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dccw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dccw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	dccw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dccw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	dccw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dccw = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpFEF8.bmp"	dccw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2712	taskkill.exe
1284	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	dccw.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7402466A-3EA9-2132-F626-09DE715F2421}\\dccw.exe\""	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop	dccw.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04602ED1-24F0-11EF-A48B-4635F953E0C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000c78f974bb9449a3c743798c1a672209b44a8f0d0a083b372acf2ddb59fc2821f000000000e8000000002000020000000f5884085640fc08882a4e3b3d5becc18bf1e1392c9df3764ac0b6030d24c91b2900000006e533178c3bdc10b343aca1aa35c277130667694465fad63b2039f300943f7140d62a913cf4ade68d44c8a335f97fbbe860cbcd4b65c9cda69bf2e9b6e508804e61f70c955043d6cb61f60d29416dab55181bd3a70848091a5234c8175096b2349b8d14a8c89311e09522683a21df18304973d04540c790c7ef8add5e06598d298f08ee4af508a0482341e8ad5c38c1e40000000685f86ad6c9ac514fc793785257d487df0c4878da403c327e6095a605edbddc63ba60fc1265cc0f6381f7323bd48db4e5733401ce4bc54f8f00356b941bcd72f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0469B451-24F0-11EF-A48B-4635F953E0C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02f28c7fcb8da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000b9e0350ca405cc74fbd6640882dc8821743450d3f3a9137a326929b36dc806c8000000000e8000000002000020000000d981b88dcd83b2fb174a57404efb1d31030c842118abc9e7d40e19a55b8b9c1720000000d0bc630aef0249a6233f39f4c1159c1920ed8d75d49c78cd76360ceaf842826540000000e84743eb22ddd9697e699c1d9531ed1acbd84252d8738bd1c42433cc5a0f40abaa14921044f2199041ebebfe38c52c654d27c155ab134333618a2c794e70f9e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423941743"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE
1432	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe
1132	dccw.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Token: SeDebugPrivilege	1132	dccw.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2796	dccw.exe
Token: SeDebugPrivilege	1284	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
932	iexplore.exe
1616	iexplore.exe
932	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
932	iexplore.exe
932	iexplore.exe
1616	iexplore.exe
1616	iexplore.exe
932	iexplore.exe
932	iexplore.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
1132	dccw.exe
2796	dccw.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1132	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2060 wrote to memory of 1132	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2060 wrote to memory of 1132	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2060 wrote to memory of 1132	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	28
PID 2060 wrote to memory of 2112	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2060 wrote to memory of 2112	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2060 wrote to memory of 2112	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2060 wrote to memory of 2112	2060	VirusShare_8ec363843a850f67ebad036bb4d18efd.exe	29
PID 2112 wrote to memory of 2712	2112	cmd.exe	31
PID 2112 wrote to memory of 2712	2112	cmd.exe	31
PID 2112 wrote to memory of 2712	2112	cmd.exe	31
PID 2112 wrote to memory of 2712	2112	cmd.exe	31
PID 2112 wrote to memory of 2516	2112	cmd.exe	33
PID 2112 wrote to memory of 2516	2112	cmd.exe	33
PID 2112 wrote to memory of 2516	2112	cmd.exe	33
PID 2112 wrote to memory of 2516	2112	cmd.exe	33
PID 2772 wrote to memory of 2796	2772	taskeng.exe	36
PID 2772 wrote to memory of 2796	2772	taskeng.exe	36
PID 2772 wrote to memory of 2796	2772	taskeng.exe	36
PID 2772 wrote to memory of 2796	2772	taskeng.exe	36
PID 1132 wrote to memory of 932	1132	dccw.exe	39
PID 1132 wrote to memory of 932	1132	dccw.exe	39
PID 1132 wrote to memory of 932	1132	dccw.exe	39
PID 1132 wrote to memory of 932	1132	dccw.exe	39
PID 1132 wrote to memory of 1072	1132	dccw.exe	40
PID 1132 wrote to memory of 1072	1132	dccw.exe	40
PID 1132 wrote to memory of 1072	1132	dccw.exe	40
PID 1132 wrote to memory of 1072	1132	dccw.exe	40
PID 932 wrote to memory of 2164	932	iexplore.exe	42
PID 932 wrote to memory of 2164	932	iexplore.exe	42
PID 932 wrote to memory of 2164	932	iexplore.exe	42
PID 932 wrote to memory of 2164	932	iexplore.exe	42
PID 1616 wrote to memory of 1312	1616	iexplore.exe	43
PID 1616 wrote to memory of 1312	1616	iexplore.exe	43
PID 1616 wrote to memory of 1312	1616	iexplore.exe	43
PID 1616 wrote to memory of 1312	1616	iexplore.exe	43
PID 932 wrote to memory of 768	932	iexplore.exe	44
PID 932 wrote to memory of 768	932	iexplore.exe	44
PID 932 wrote to memory of 768	932	iexplore.exe	44
PID 932 wrote to memory of 768	932	iexplore.exe	44
PID 1132 wrote to memory of 776	1132	dccw.exe	45
PID 1132 wrote to memory of 776	1132	dccw.exe	45
PID 1132 wrote to memory of 776	1132	dccw.exe	45
PID 1132 wrote to memory of 776	1132	dccw.exe	45
PID 1132 wrote to memory of 1644	1132	dccw.exe	48
PID 1132 wrote to memory of 1644	1132	dccw.exe	48
PID 1132 wrote to memory of 1644	1132	dccw.exe	48
PID 1132 wrote to memory of 1644	1132	dccw.exe	48
PID 1644 wrote to memory of 1284	1644	cmd.exe	50
PID 1644 wrote to memory of 1284	1644	cmd.exe	50
PID 1644 wrote to memory of 1284	1644	cmd.exe	50
PID 1644 wrote to memory of 1432	1644	cmd.exe	51
PID 1644 wrote to memory of 1432	1644	cmd.exe	51
PID 1644 wrote to memory of 1432	1644	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\dccw.exe
  "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\dccw.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2164
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:865281 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:768
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1072
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:776
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "dccw.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\dccw.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "dccw.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1284
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1432
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2516

C:\Windows\system32\taskeng.exe
taskeng.exe {C9844F60-C0AC-44D1-A6C7-5B8B8A99718D} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\dccw.exe
  C:\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\dccw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1312

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
31ee1493fa15aeda7565a0821c8797c2

SHA1
caaa521abaa17c4d067bd67a767ed1e96f29f7fc

SHA256
7a7451a7e08e456a74c290090e630bf7b39ddfdcb396fa1e4adc57280cc08e90

SHA512
ab13b8860b727712200669e2b3a90702382239915fdaf3e611b7acdf76b688655db3b8340dec8f6b1f404b7a0f29758b42dfd57d5b4af0c5b4eecf032a6900f1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
f6479c3defaa26c2b62d124ac0cd9dec

SHA1
bb2df9d9b9519adb57aa6bf96b264e1b8f994603

SHA256
e8782f70710dc5e2a5f21fe4cd686198f1d29a896eae8ae13f91c66ec8f27e6d

SHA512
2923e4b492600b38fe660ded4af5ed2364adc7f96e0049cf92298098123b77c0b896fb0879a0a225a35e923f425ba661af29ce87cc76063b9f4647355f06f75b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
f1bba0db557bf14b1045e7089181b8af

SHA1
22faf91df0e0198cbe712fa144ec113bc8d19b1e

SHA256
367cedeb59bec2f2c9d775573fecf07c08140e80f641d875bca8854eb93a37a8

SHA512
491dc8194970b0c87457dbbb5b764b7a6d877f94bd419e85b01472ac13e876e0453b203fda5d21c293a0063c447f350f9aa059f209a743160278e1fe1a27383c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93f75c3ea6f97d79c0e13ce03c49a40e

SHA1
99889ada63876b1ad391e01a4437ee1f01eb63f7

SHA256
6577435a6e396a35e1a0e65f3efea35a29746462b8ed668d847a1eee1cd04a68

SHA512
6bf3320d09f0100cc748fa6cc1cab7827d89be25d72f7874d33f8c35af0b1b8c01169b60acd5659a9bba207bdbe5341cc4d3a9bdaaab9072e19ba36330f30187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51d073bee2875f5d9a16aedada2d5358

SHA1
8228243827b33b88aed05a6d1a0393e9f4e8a432

SHA256
a65b3b3b909245ada53ce19be87f5aa24118b1bb1c54ffbd72517632ca3a1496

SHA512
31394b5d3f95beb31cae9260a03ef2d09f9f63593c7182fc5da063d1d44216acde8660f53ef17b7b5267e5a0fc8426dc399ce5d8a70dc428e2b1286d5aacb568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfa057f4eebd719cc19d6ded9fa7870f

SHA1
88aa9f2544544e77ed8ab80d9f1077bf6fab73f7

SHA256
e871874313c910bde9fff6377d41a5cdc6ac99c73c6becbe6cbadfb67768bfb0

SHA512
0cb84c8b7de44012524b3c48b5a7cf637c1985b26b1d5e40dae4a961c7f2fceb8533f923492fdd2f27644aa8c937f021f45402e2f4e37e0af3716077d7b579c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77ebbe3b16d44f50a0f0514e25e91fd2

SHA1
df495f110baa5ab0cb4f9bb8e4415f2fa91a1960

SHA256
ff09caef42ecd95129017c40347082454e7da990e83e3e838f1f7391f292b428

SHA512
cbb634ccca527ccdf25cf7eed0401f971aa5f8df128b592e7da9fac2e021a4e9348a6d208acd3988541800617397d59adef061877e0bf40e747715af05b6a5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2995c71c78647d0945cc88170c2047c9

SHA1
aec7d6850a7c6648197e02c36d2a8f4a70613d96

SHA256
605f1f6238df081f60cd21f7e8efd95db20367a4154d65a799a89315160f7062

SHA512
01069f4d5d9391012975a4796853b1aeedbdf95603173eba9a4a5197dc23671ee7adaa1f441575b16abf8ddc58988cbd4e2e8feab8ed769bc057c864f58aa594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37b00679574a28b056450c3ef0852c0f

SHA1
c60cf4dde6b0c11c69136a071973a78b810376b8

SHA256
80be94dba5f06e697b7eff7d61ec305c14af2064c3d3d51301d9085a58854392

SHA512
6df0f690db9b06bced1dba4241c2d140b60b8eab34d4edff0ac7adef0bc0d476c82b19b8a7a6ffb08fa09b19cc945650ea497f2dca33ef6d8ab47dfc99b58a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bddebff3781c3dbd5f107d73c788771f

SHA1
68f937b1dacdcac6c6a25f9aef05e7b335bbfdd0

SHA256
83467332a527a79f843db35dfa6c200894af4d018dfc3b689dc6aaa96a268933

SHA512
af2478fd63863f5eef1c59806a09ba820d595a5553831709229fa3909230a0f80b81dcd903359b833343699b183d330c0871eed1c1e053e1b151d8885cc15d28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fee760befdb2a62662a859ebd64e4e9e

SHA1
827958ad45d833c6a36b205a7148f6a90ee749d5

SHA256
8d06c8a082d049d8df855c06cbc1aadde5334a3c85a250916387c2e90139775b

SHA512
df7d105634dada0dd1e9f006c01685cb7c8b0c6203e15254823c0d34adbc57d9c670022aae88a35296c29f639041651d7b420a4f8f4dbbd2c9a6e835797b81dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d73255e750aaed58c4a2ad0be4d06aa7

SHA1
b1009c15e0b5c0044868940ec2d35c55e0b30464

SHA256
64c4c8a6e514fe8a760f4fa0fb9d8c2231135c14e7306d6d97b45af05400b618

SHA512
e236cd4df71a041ae59969a5c0ea76f1ada7b1efdd908333e112b246d7530f600efa828d3d9ab0df16036a70bed2df98e3e23a2114bbc97b5b63fb2f71bd908d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd0ae093c4b5acb64e3c9c735bd953c7

SHA1
e3961414767a6d7526021407575b80294f742b3d

SHA256
b6039229d66376f14296f8c1993b2cc3b91dcaa520c75fe6c047ffe913f80c74

SHA512
5510790050b8fcf71b6e538d48443f3b656e5a0655e90adb698866f125ae8416fa032b68467299e57c4a9b49e35cec81d9c2e2d875d851f08e6bc80d11aec8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abecaa7e191c6d4f6acabd94a3ccd8f6

SHA1
f88461b59a3aabe9771e94b6627371223b117107

SHA256
f57ffdf38314e5d4773cc57a8d67e9c6d803b044e6d3ad8222114172f788174b

SHA512
60c34548eb874005eff57d884a86a4bd188d5273ddb61b83030c6907d0f8fed00ebb6e0c5391be4a3fff0484db3a29029a1701069e0baf7f97220e9ad8a10057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49b564e8dfd59cbc00d58694b409f770

SHA1
083473c79a34932030efb3698172c2a421b7146e

SHA256
b1e7d1ccffeff3b10f8af88f230e21053c19297004768d3fbf757478a8ab2838

SHA512
c3ffd37229e87e8952c61f7799e7ae2420f69ff2b2c6c8eb6b6ed4aebd88d99bf5410f074ce2c5d4ce838d5f6d74a39298a04598f034f0de4169bd458f7680f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c8779517159da3972c7c11eaf147fbc

SHA1
01d5ed630b9ed8099ee5fe2755b52fa33199891c

SHA256
4a8e135db48e04b10fa1b33142f085ccc8766a43e7be1efecffe8e1f589ed7f2

SHA512
d2454a6d91b8a8d34c45c6f3c091bc9c348134b23c0d1da22f8a3a8d7c65f6e62efdc792e85d303213a69b51753dcdc1560199433e30c2333ffeca03a21e327a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3914aa1d1135f9bc1cff21f7fea9bea9

SHA1
f3ae70df21b273930928ed09defc71eb77cbe7e1

SHA256
05147e7fff5d40fccb5322046bdab3b02f8f6202a6e3ecc6dc6bcf1c0c753edb

SHA512
c898d4ee7a8ca9ef6dd38f11d141a506a2dda9510662000cbce4148b8988cf96e00b11246dcc20498d52b2103e3a6be9b7e08206d196e8500b842bb6fea86f87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dc10064b131135dd566d2eba983a0ae

SHA1
e5c5230538734e50dc02c1ae0badcaef9739e744

SHA256
75c5e289790387814789a02a5d92fe68c68a0646437a083a7ab435dcb210eb00

SHA512
fee13c05b8111861a5c981d2dd53e1a6036c36540b847c841fda8bd55d2c89a74e20f6a5871a87b15f9ce5fb05e75dffaeda73c9f7b43de6b145b6732aed57cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da84394d2fe896b56c33a1da5cebd5bf

SHA1
155beeca30be17acbfe55de2931d42241ce4757d

SHA256
41e55a9a5f593038eb7c55923f8df5f11a5fa5784a00a43ac097a687cec9dd4e

SHA512
f62ab311869578eb902158cedafabeabb0e7e00df980d73e6f02f05fff967de5ff84d307b4fc6a440311b5eca01b1eef6653139dd2e43cb8f0e5df90791a6d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e447b92f7541f3c52343908746064ff

SHA1
56be9b92234aee31ac582df6afa420c9ae580466

SHA256
bbadb90a30cf5435c483ee97bb456ed53ceb3b0b8d1cbdc0a7b97ada4dbc416b

SHA512
27d3bd322ea14d92ad5b466ef6e75c590348abad8fded7a3f7affc7f0b68832e2c72286069a4ddd5723bee98ad5554eb130e35246537c6bf0d3bed12b7204c4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aeff2b54e6424ed16be22c52de6a56a

SHA1
2b608b4b3f863ce410eae9ca65f37fd19f9951a6

SHA256
6df6bee83059bb0e8f0f39b44ac20ea495f95d07a525abb8379deb5564275912

SHA512
71891a6432504d4b1f35916fff54ca1b08598998cabb3c396c5fdd586a9e616635723fd9e0c735317d957bfc87e9f1ba2bf7428be66d4a83f25bec9220c7d3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{04602ED1-24F0-11EF-A48B-4635F953E0C8}.dat

Filesize
5KB

MD5
8685a7fb65978e0a20303e6147a868f3

SHA1
1e8978e279060ce6dfdaf3dbb1354106f4c7bc15

SHA256
94f93c812b97e8ce390296dcbc081af3dc77e62d0ac93e06765c4ef10c95fb56

SHA512
720461eebe5b1485162d0e6b87e2f56322a2f58f5b75a32b9337dc53df600eebbdaa8ef4b559d8ec7a3210dbe30a46a766107ec17a06d7665dc2dfb3f31e8230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0469B451-24F0-11EF-A48B-4635F953E0C8}.dat

Filesize
4KB

MD5
b1761aa1b2fd3abbabb02bc4b9d51e5f

SHA1
12d8b8897697405720c69469a0f86a4cf87e6085

SHA256
cc4401333dba2505d368c3515d689cd423c4f71816d81a23dd696143051a7796

SHA512
7b2e9e2d2c1ce1c22845e3712383f6338b0959712df4859029331f03a538b63eefe68a7771c6422d2d42407e4ab395f786a67cf6e8daf6c05826f4c81ad8702d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab16FB.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1771.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dccw.lnk

Filesize
1KB

MD5
6b5abad853617018d8e50678e712b18b

SHA1
9061604a1b9bd2a5f3c32b98517d74300cb30c82

SHA256
ed33830f36844022c4c3239e1b28eaad0fa385b23e4178c5ae29d813454aa45e

SHA512
da491aab10c9430b327cee1fcedc48e553fa08396681468f4cb54dc0ee17440ffdc660fc7229ba93c88b1230b4a5fc937e25b26b1171b28b09f309bf807cee12

Download Submit
\Users\Admin\AppData\Roaming\{7402466A-3EA9-2132-F626-09DE715F2421}\dccw.exe

Filesize
186KB

MD5
8ec363843a850f67ebad036bb4d18efd

SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02

SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8

SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684

Download Submit
memory/1132-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-384-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-411-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-409-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-407-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-404-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-369-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-426-0x0000000005DF0000-0x0000000005DF2000-memory.dmp

Filesize
8KB

Download
memory/1132-372-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-375-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-378-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-381-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-414-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-387-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-912-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-913-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-390-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-396-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-393-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1132-17-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2060-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2060-0-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/2060-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2060-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download