Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
-
Size
392KB
-
MD5
6653ef20d2a3a6ef656d9c886ebabd93
-
SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692
-
SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
-
SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
SSDEEP
3072:viHZTdn6oWzjNtxPPnGau7GMuOYHAifZEeKPi6u7KzrN7ivE5oY4KppRsqYaefiU:QZqPtvGauSM4HAifkGOzrN+HKkalM
Malware Config
Extracted
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/22F6-4CC5-EBBD-0291-9ED4
http://cerberhhyed5frqa.slr849.win/22F6-4CC5-EBBD-0291-9ED4
http://cerberhhyed5frqa.ret5kr.win/22F6-4CC5-EBBD-0291-9ED4
http://cerberhhyed5frqa.zgf48j.win/22F6-4CC5-EBBD-0291-9ED4
http://cerberhhyed5frqa.xltnet.win/22F6-4CC5-EBBD-0291-9ED4
http://cerberhhyed5frqa.onion/22F6-4CC5-EBBD-0291-9ED4
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16398) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exelodctr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" lodctr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lodctr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation lodctr.exe -
Drops startup file 2 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exelodctr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\lodctr.lnk VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\lodctr.lnk lodctr.exe -
Executes dropped EXE 1 IoCs
Processes:
lodctr.exepid process 2632 lodctr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exelodctr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" lodctr.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" lodctr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
lodctr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7DE5.bmp" lodctr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4068 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3940 taskkill.exe 536 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exelodctr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop lodctr.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\lodctr.exe\"" lodctr.exe -
Modifies registry class 1 IoCs
Processes:
lodctr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings lodctr.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
lodctr.exemsedge.exemsedge.exeidentity_helper.exepid process 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 2632 lodctr.exe 1772 msedge.exe 1772 msedge.exe 2812 msedge.exe 2812 msedge.exe 3796 identity_helper.exe 3796 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exelodctr.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe Token: SeDebugPrivilege 2632 lodctr.exe Token: SeDebugPrivilege 3940 taskkill.exe Token: SeBackupPrivilege 4648 vssvc.exe Token: SeRestorePrivilege 4648 vssvc.exe Token: SeAuditPrivilege 4648 vssvc.exe Token: SeIncreaseQuotaPrivilege 5080 wmic.exe Token: SeSecurityPrivilege 5080 wmic.exe Token: SeTakeOwnershipPrivilege 5080 wmic.exe Token: SeLoadDriverPrivilege 5080 wmic.exe Token: SeSystemProfilePrivilege 5080 wmic.exe Token: SeSystemtimePrivilege 5080 wmic.exe Token: SeProfSingleProcessPrivilege 5080 wmic.exe Token: SeIncBasePriorityPrivilege 5080 wmic.exe Token: SeCreatePagefilePrivilege 5080 wmic.exe Token: SeBackupPrivilege 5080 wmic.exe Token: SeRestorePrivilege 5080 wmic.exe Token: SeShutdownPrivilege 5080 wmic.exe Token: SeDebugPrivilege 5080 wmic.exe Token: SeSystemEnvironmentPrivilege 5080 wmic.exe Token: SeRemoteShutdownPrivilege 5080 wmic.exe Token: SeUndockPrivilege 5080 wmic.exe Token: SeManageVolumePrivilege 5080 wmic.exe Token: 33 5080 wmic.exe Token: 34 5080 wmic.exe Token: 35 5080 wmic.exe Token: 36 5080 wmic.exe Token: SeIncreaseQuotaPrivilege 5080 wmic.exe Token: SeSecurityPrivilege 5080 wmic.exe Token: SeTakeOwnershipPrivilege 5080 wmic.exe Token: SeLoadDriverPrivilege 5080 wmic.exe Token: SeSystemProfilePrivilege 5080 wmic.exe Token: SeSystemtimePrivilege 5080 wmic.exe Token: SeProfSingleProcessPrivilege 5080 wmic.exe Token: SeIncBasePriorityPrivilege 5080 wmic.exe Token: SeCreatePagefilePrivilege 5080 wmic.exe Token: SeBackupPrivilege 5080 wmic.exe Token: SeRestorePrivilege 5080 wmic.exe Token: SeShutdownPrivilege 5080 wmic.exe Token: SeDebugPrivilege 5080 wmic.exe Token: SeSystemEnvironmentPrivilege 5080 wmic.exe Token: SeRemoteShutdownPrivilege 5080 wmic.exe Token: SeUndockPrivilege 5080 wmic.exe Token: SeManageVolumePrivilege 5080 wmic.exe Token: 33 5080 wmic.exe Token: 34 5080 wmic.exe Token: 35 5080 wmic.exe Token: 36 5080 wmic.exe Token: 33 1636 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1636 AUDIODG.EXE Token: SeDebugPrivilege 536 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exelodctr.execmd.exemsedge.exedescription pid process target process PID 1660 wrote to memory of 2632 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe lodctr.exe PID 1660 wrote to memory of 2632 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe lodctr.exe PID 1660 wrote to memory of 2632 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe lodctr.exe PID 1660 wrote to memory of 4880 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe cmd.exe PID 1660 wrote to memory of 4880 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe cmd.exe PID 1660 wrote to memory of 4880 1660 VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe cmd.exe PID 2632 wrote to memory of 4068 2632 lodctr.exe vssadmin.exe PID 2632 wrote to memory of 4068 2632 lodctr.exe vssadmin.exe PID 4880 wrote to memory of 3940 4880 cmd.exe taskkill.exe PID 4880 wrote to memory of 3940 4880 cmd.exe taskkill.exe PID 4880 wrote to memory of 3940 4880 cmd.exe taskkill.exe PID 4880 wrote to memory of 3052 4880 cmd.exe PING.EXE PID 4880 wrote to memory of 3052 4880 cmd.exe PING.EXE PID 4880 wrote to memory of 3052 4880 cmd.exe PING.EXE PID 2632 wrote to memory of 5080 2632 lodctr.exe wmic.exe PID 2632 wrote to memory of 5080 2632 lodctr.exe wmic.exe PID 2632 wrote to memory of 2812 2632 lodctr.exe msedge.exe PID 2632 wrote to memory of 2812 2632 lodctr.exe msedge.exe PID 2812 wrote to memory of 164 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 164 2812 msedge.exe msedge.exe PID 2632 wrote to memory of 528 2632 lodctr.exe NOTEPAD.EXE PID 2632 wrote to memory of 528 2632 lodctr.exe NOTEPAD.EXE PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1596 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1772 2812 msedge.exe msedge.exe PID 2812 wrote to memory of 1772 2812 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\lodctr.exe"C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\lodctr.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4068 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8842e46f8,0x7ff8842e4708,0x7ff8842e47184⤵PID:164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:84⤵PID:4060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:14⤵PID:2748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:14⤵PID:1264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:14⤵PID:4472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:14⤵PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:14⤵PID:2976
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:84⤵PID:1808
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3796 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:14⤵PID:4676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:14⤵PID:1476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:14⤵PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:14⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16450596138396344964,16066069006366597246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:14⤵PID:3248
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xlfp45.win/22F6-4CC5-EBBD-0291-9ED43⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8842e46f8,0x7ff8842e4708,0x7ff8842e47184⤵PID:3644
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:2784
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "lodctr.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\lodctr.exe" > NUL3⤵PID:2664
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "lodctr.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:2224 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:3052
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4092
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3040
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f8 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5db1a3d32fc4328202c78db86dceb81a5
SHA1f0f8c9755581294c53e46566ada0d9a2a51b63fd
SHA25636743b94717deb6d7e420f2265b2b52945f1a7165600542839171dd67255bed9
SHA5123e27e76536ad688200dec398730d06a6f13adbbc844cb89fa76674478e5c5224dd5ba33deb7e44a06ca7f64f2c681ab8ff14f036ca233dfd912de8a70d7c60eb
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c5f77636a0aafc254861abcfdca5792e
SHA106b2cbcfd2015eb346d723e53d7bbf3c3d6a8221
SHA2565085d640066c2b18aa1576bc87367178112ff5d1d124f79f1567a946971f0b22
SHA51210a13e07d5f57ea9d0a70f6882cabfc1fc2f9be7279c80abc922a018337ddbc5b8db6b5a6a9ee5fbdb48d22a63a339eec11d2f4fc9c207cea4db49c5cecd0e79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b34ce3d3efd7c34ce0323f8d599d3b2e
SHA154ee8efeb4a020fbb6c5d244b80e24783b030a0c
SHA2568a7911cea9147b9fe74597efb38df5d4cf305c747fe5e530afe3d7942b529564
SHA512ae081e56953d9d9f226bfb8a2511d68a9239e3fe12baca936db0c2185245e9ad0c967e7517b7caa17b2f3cc3250708edd5417b808ad9ba5e478a78050cfb9b69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5e49924d08c04fe597c62b0818f9ef4b1
SHA17a3cfe6e580f39278cdd2b130f6a877976b812c3
SHA25612940a1e341f386060f3bac6d3daf9f74089074c7a8ffd00224fc0dd4aecb14f
SHA51285923bab3e296e5e7a99ad77fd2b791e2e486198b692b4791e60fea92d0508ac82b4736325834cff9c99217be22e6ae7be1d123067e3aec145e26187eb216d9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\lodctr.lnkFilesize
1KB
MD5da85a56999e83fa886212cfca326c191
SHA14ab11a4ac0b1568649bbed6df5f7407b5ba4a550
SHA2560bf9a42427e184deacec364c5871584022842d8fe542f9706406cf6e63d5a584
SHA51246441248497631237fca22514897ef72e90a3f92e73a0de2c2a9ff3511fe9debaf35b21ad02b29ffee1d769cd490609001bd2ed2f8b9215891e88783ccdf15ed
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\lodctr.exeFilesize
392KB
MD56653ef20d2a3a6ef656d9c886ebabd93
SHA1bb0cc0b05bb70a3d347faa94fb36a35c771b0692
SHA25648ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
SHA512b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txtFilesize
10KB
MD5ac12dca8551bbe5c998da497029a5b19
SHA19a19ddd1f77398daf0e5923143513b68ffdcda9d
SHA2569fc8f8ecbc61a8423f1619d08d2fef94ec24c4b8f5aa9823a7ee60d766efad83
SHA5127ce03843270288e36bbacbfad0aa804a3c44c1103026d9afb237e8026ac989b8410f8f4e9bcb48c9aa379b37f70da167274728cb59ebee27ac05cad161e858f5
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.urlFilesize
85B
MD5d3ece18ccf8e94aaec98ad20e10fd001
SHA1cc9c00c8f4528bccbd10d756a2ceff5ed8f0c890
SHA25696d1d79b6419537a90aa12945722d54aaa792e9aa555cc06417089b03e608ce6
SHA5129393bfe867b62ef6ccd82d680dc467d2a8e22acb5308906208131c3c52d768b1e8b90bf468a3de39822de26f21eb20dae77f5deaa58c9154c8f8abf2da6d6dc0
-
\??\pipe\LOCAL\crashpad_2812_GIXSHRBFRJENELEWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1660-0-0x0000000000610000-0x000000000062F000-memory.dmpFilesize
124KB
-
memory/1660-13-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1660-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1660-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-21-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2632-277-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-300-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-297-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-294-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-291-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-288-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-286-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-282-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-280-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-279-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-272-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-305-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-303-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-301-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-30-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-22-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2632-10-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2632-11-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2632-12-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2632-385-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB