a38207f0e70d472afbbde057caa046c47c56d86d02b3c2a633a2e08f02e7274a

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1eb412a5f6400eb490a8698dc08129da.exe
Size

344KB
MD5

1eb412a5f6400eb490a8698dc08129da
SHA1

065daf13ce7d8adfca48fb1405f76b122b5edd62
SHA256

a38207f0e70d472afbbde057caa046c47c56d86d02b3c2a633a2e08f02e7274a
SHA512

7155af1756cd1639b9d7baf96caad6f658d28cd64723755dae657adb156fbb9cc107cecc68c376dd2c0bcdc532aef6233c00418e91fa9f35728d4c759daa5c70
SSDEEP

6144:fclgBCoMvJpr3IZVXBRVRC3BMaXGRTuKYAyqeT6y52cZuvrvD1hNVWfO6:f5C9Jpr3I3XBRi3WaXGEKXnW6RjPkv

Score

10^/10

defense_evasion evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\how_recover+xuh.txt

Ransom Note

111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 How did this happen ? ---Specially for your PC was generated personal RSA-4096 KEY, both public and private. ---ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://vr6g2curb2kcidou.encpayment23.com/6AD13A24B781BD23 2. http://vr6g2curb2kcidou.expay34.com/6AD13A24B781BD23 3. http://psbc532jm8c.hsh73cu37n1.net/6AD13A24B781BD23 4. https://vr6g2curb2kcidou.onion.to/6AD13A24B781BD23 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: vr6g2curb2kcidou.onion/6AD13A24B781BD23 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://vr6g2curb2kcidou.encpayment23.com/6AD13A24B781BD23 http://vr6g2curb2kcidou.expay34.com/6AD13A24B781BD23 http://psbc532jm8c.hsh73cu37n1.net/6AD13A24B781BD23 https://vr6g2curb2kcidou.onion.to/6AD13A24B781BD23 Your personal page (using TOR-Browser): vr6g2curb2kcidou.onion/6AD13A24B781BD23 Your personal identification number (if you open the site (or TOR-Browser's) directly): 6AD13A24B781BD23 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

URLs

http://vr6g2curb2kcidou.encpayment23.com/6AD13A24B781BD23

http://vr6g2curb2kcidou.expay34.com/6AD13A24B781BD23

http://psbc532jm8c.hsh73cu37n1.net/6AD13A24B781BD23

https://vr6g2curb2kcidou.onion.to/6AD13A24B781BD23

http://vr6g2curb2kcidou.onion/6AD13A24B781BD23

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4928	bcdedit.exe
776	bcdedit.exe
4052	bcdedit.exe
4428	bcdedit.exe
4988	bcdedit.exe

Renames multiple (899) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	gvywwacroic.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+xuh.html	gvywwacroic.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	gvywwacroic.exe
4696	gvywwacroic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\gvywwacroic.exe"	gvywwacroic.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2024 set thread context of 4696	2024	gvywwacroic.exe	96

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-200.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.js	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_altform-unplated_contrast-white.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-lightunplated.png	gvywwacroic.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-125.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_SadMouth.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-200.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-100.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-100.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-200.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-150.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-150.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60_altform-unplated.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\trace.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_altform-unplated_contrast-white.png	gvywwacroic.exe
File opened for modification	C:\Program Files\Common Files\System\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44LogoExtensions.targetsize-256.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png	gvywwacroic.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak	gvywwacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG	gvywwacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125_contrast-white.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png	gvywwacroic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	gvywwacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-32_contrast-black.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60.png	gvywwacroic.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-unplated.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png	gvywwacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\how_recover+xuh.html	gvywwacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\how_recover+xuh.txt	gvywwacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsStoreLogo.scale-100.png	gvywwacroic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1764	vssadmin.exe
2780	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	gvywwacroic.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1380	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe
4696	gvywwacroic.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe
Token: SeDebugPrivilege	4696	gvywwacroic.exe
Token: SeBackupPrivilege	4292	vssvc.exe
Token: SeRestorePrivilege	4292	vssvc.exe
Token: SeAuditPrivilege	4292	vssvc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 2236 wrote to memory of 4708	2236	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	93
PID 4708 wrote to memory of 2024	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	94
PID 4708 wrote to memory of 2024	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	94
PID 4708 wrote to memory of 2024	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	94
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 2024 wrote to memory of 4696	2024	gvywwacroic.exe	96
PID 4696 wrote to memory of 4928	4696	gvywwacroic.exe	97
PID 4696 wrote to memory of 4928	4696	gvywwacroic.exe	97
PID 4708 wrote to memory of 1368	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	99
PID 4708 wrote to memory of 1368	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	99
PID 4708 wrote to memory of 1368	4708	VirusShare_1eb412a5f6400eb490a8698dc08129da.exe	99
PID 4696 wrote to memory of 1764	4696	gvywwacroic.exe	101
PID 4696 wrote to memory of 1764	4696	gvywwacroic.exe	101
PID 4696 wrote to memory of 776	4696	gvywwacroic.exe	103
PID 4696 wrote to memory of 776	4696	gvywwacroic.exe	103
PID 4696 wrote to memory of 4052	4696	gvywwacroic.exe	107
PID 4696 wrote to memory of 4052	4696	gvywwacroic.exe	107
PID 4696 wrote to memory of 4428	4696	gvywwacroic.exe	109
PID 4696 wrote to memory of 4428	4696	gvywwacroic.exe	109
PID 4696 wrote to memory of 4988	4696	gvywwacroic.exe	111
PID 4696 wrote to memory of 4988	4696	gvywwacroic.exe	111
PID 4696 wrote to memory of 1380	4696	gvywwacroic.exe	123
PID 4696 wrote to memory of 1380	4696	gvywwacroic.exe	123
PID 4696 wrote to memory of 1380	4696	gvywwacroic.exe	123
PID 4696 wrote to memory of 3816	4696	gvywwacroic.exe	124
PID 4696 wrote to memory of 3816	4696	gvywwacroic.exe	124
PID 4696 wrote to memory of 2780	4696	gvywwacroic.exe	128
PID 4696 wrote to memory of 2780	4696	gvywwacroic.exe	128
PID 4696 wrote to memory of 4532	4696	gvywwacroic.exe	133
PID 4696 wrote to memory of 4532	4696	gvywwacroic.exe	133
PID 4696 wrote to memory of 4532	4696	gvywwacroic.exe	133

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gvywwacroic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gvywwacroic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1eb412a5f6400eb490a8698dc08129da.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1eb412a5f6400eb490a8698dc08129da.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\VirusShare_1eb412a5f6400eb490a8698dc08129da.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_1eb412a5f6400eb490a8698dc08129da.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Roaming\gvywwacroic.exe
    C:\Users\Admin\AppData\Roaming\gvywwacroic.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Roaming\gvywwacroic.exe
      C:\Users\Admin\AppData\Roaming\gvywwacroic.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4696
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} bootems off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4928
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1764
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} advancedoptions off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:776
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} optionsedit off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4052
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4428
    - - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe /set {current} recoveryenabled off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4988
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
        5⤵
        
        PID:3816
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\GVYWWA~1.EXE
        5⤵
        
        PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3892 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5664 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4704 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5912 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\how_recover+xuh.html

Filesize
9KB

MD5
1fc8a93012cde78d58fbe0a8de245466

SHA1
7321a157acde9c7f5b5c0349741397f6ad42d459

SHA256
b9c073e465bd7d683bc7718cc834d967481007585f02fcd0f87c89947bc67635

SHA512
642cb1c0d1b058f77f1347f93ec87f9a70d8fd027128ee7f0fe0645d1af68bc4c9036c645ef2e1f9cfccc0a0dafda2d1cb71fa87ff34675fea37077bfc7ca687

Download Submit
C:\PerfLogs\how_recover+xuh.txt

Filesize
2KB

MD5
79a1f7b05cd9cc232512539ae733e095

SHA1
1d99a2900b4fd23a44e144d8aa1f103e467f4ce6

SHA256
0fa2fd702694008bb5f6fec38273a4d2c04bccaba397f1cca15cce1a4d1a7fd6

SHA512
d2e4e8e0ca85c8f3c1faa1de115cf1869d73a08eefe2dba97aef18f4a85e8bc3f73df50edab522f72ec3ba486e1feeac605bfff861414e5cea1d24021f010667

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
606B

MD5
4ee6a1719f97f667d5881396b2af2e1b

SHA1
2876c0ada92ad0874caf697193a7623138f0de4c

SHA256
3065bb1b52b2cd3c823721bfa02a50e240847d2469cb90df12ffbfcdb91f591e

SHA512
5b01b8c191924490531b7601ef97ec0faac336e903d4eb161e5ebbffb451eff3dd1bc2c6ce4bd917516976d576b449a15f0881a33df0f64dfe1a1ffb72281d92

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
606B

MD5
777810cdf6ede8921b8e2e3c2437c087

SHA1
c5f51a7e4e699edf3527d8ff9193990b04d9254c

SHA256
fd8c3f4450208d4e6dff2fea6ca14c6f99e6a5d8d367da138587ebd56f286f56

SHA512
f47a07a7e43fcdc1b4cc410992bfddbcf121d9b48e28f166a80a6b392153914b2e8207c0196ba64b1f1aa259f790e0e747b5326b8aeae3703aca021cdc049bf4

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
462B

MD5
2c730b4daffb292100b96676fa731ba8

SHA1
2cf23fd21bd83544770371d09a1b0082aae552ec

SHA256
0d1e09f7ae1f8fe19ac50c511f250fb2a6dbc42f403d9ab5756f84162de21b13

SHA512
91a53333b36afa08e7ff15a3a299f775aec2b5bc2e1d097a34b8c4a2d8ce98bbf75fee7bc372ba98bccb0af06c35ec4c12bffa420a622f0bbd78df4098522f8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe1f2851-ffca-4750-ab86-7885527899b0}\0.1.filtertrie.intermediate.txt

Filesize
430B

MD5
adeaf34fd82ace3f20a670d1a7339d3f

SHA1
baed89f079c2f63fa08c92863217fe51fd1c4a5f

SHA256
f876f25ecb4fafc29ab08606fbab816349928cc8eec109c8599614cf35213ec3

SHA512
71d7ccd33d236a15d1e9691dadc9f6ae0b861bd01c9bce9a160f4b730b36ff0b116a528f6e24c75539f97429c0046d5553a8cff7b7cfb2d0ded52a90ee5a140b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe1f2851-ffca-4750-ab86-7885527899b0}\0.2.filtertrie.intermediate.txt

Filesize
430B

MD5
d4bf90a19252b453c6650034d6c08e5a

SHA1
1a39a58bf227a5ca0866525701a6816de55e5a02

SHA256
2140092c56b5c372329bb78b35f168721d581fbc3e4b947b67af79cf17049df4

SHA512
311fdbd93d3bf60d1aa0259a8a91a0fc6c938301d7c760f5b35c7de4ab39ae951b932e3c0f53aef5d0fac1d9ebf114de989fae02896699d829635d891e08d437

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534305838784240.txt

Filesize
77KB

MD5
e3995598724fa373fb5d806aee536a6a

SHA1
2a9dda723a45ebc09760948289851b40f134affa

SHA256
67cb2ef21c339ad91af21d8be26bcf0122d2139cd28cc5d8e0ecd4bde452927b

SHA512
3e14c2ce28fa76e862de64b64645d282491e562dbd95815c46eff9820f20fdc4172aaf5b74a5eec75b0a07cce7e67d23fef7895ddccf74741af5c66783fe8a2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534325129811261.txt

Filesize
74KB

MD5
44f9dcf2312d57c919677fa07b11599b

SHA1
9585306af6f0efff1296500719095fe137a32eef

SHA256
22bea6ed84834163e5e2c6539f2d82509f6f33ebbb5e5b42104b8f02b832a000

SHA512
721de638ff3916e96365b450157b88c6073b3aca05a86cca5fb2aea1aa7ca06115f08aca46c6766d187ba4283eb26561fd2394ab3a0ae8ef0d31ef32b3c3d50d

Download Submit
C:\Users\Admin\AppData\Roaming\gvywwacroic.exe

Filesize
344KB

MD5
1eb412a5f6400eb490a8698dc08129da

SHA1
065daf13ce7d8adfca48fb1405f76b122b5edd62

SHA256
a38207f0e70d472afbbde057caa046c47c56d86d02b3c2a633a2e08f02e7274a

SHA512
7155af1756cd1639b9d7baf96caad6f658d28cd64723755dae657adb156fbb9cc107cecc68c376dd2c0bcdc532aef6233c00418e91fa9f35728d4c759daa5c70

Download Submit
memory/2024-10-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/2236-4-0x00000000009E0000-0x00000000009E3000-memory.dmp

Filesize
12KB

Download
memory/2236-0-0x00000000009E0000-0x00000000009E3000-memory.dmp

Filesize
12KB

Download
memory/4696-493-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-4304-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-7593-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-457-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-712-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-1245-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-1852-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-2862-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-5691-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-7585-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-7584-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-7576-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-7575-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4696-6718-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4708-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download