Analysis
-
max time kernel
123s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 11:37
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
Resource
win10v2004-20240508-en
General
-
Target
VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
-
Size
368KB
-
MD5
5885d072fb73bdd355e85b67bcde3bfd
-
SHA1
538b93b18131e4d9de79f87f6b156c2d46895045
-
SHA256
d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348
-
SHA512
7da4dbbb0c98cd2ad56ffe28a23ed67e66583a0822e0e16aadfa102447d7a22acbd9e526fc9a9ee3ecae68389b02e12347182a64829cd762559ed083ee94882e
-
SSDEEP
6144:iQNUdPR6oncUtPLJoJi8ju8FQNXsyR36GeHba2grj9F4SENppTUHtnvR3aF3J9PQ:XNUdc6wA8P2cyF6T7a2gH9F4dzhUl6rP
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cnfuw.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/4E62CBE897AFC44E
http://b4youfred5485jgsa3453f.italazudda.com/4E62CBE897AFC44E
http://5rport45vcdef345adfkksawe.bematvocal.at/4E62CBE897AFC44E
http://fwgrhsao3aoml7ej.onion/4E62CBE897AFC44E
http://fwgrhsao3aoml7ej.ONION/4E62CBE897AFC44E
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2332 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+cnfuw.txt toweqsyjejbl.exe -
Executes dropped EXE 2 IoCs
pid Process 2396 toweqsyjejbl.exe 1580 toweqsyjejbl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\vajryajdjwtt = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\toweqsyjejbl.exe\"" toweqsyjejbl.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2100 set thread context of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2396 set thread context of 1580 2396 toweqsyjejbl.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows NT\Accessories\de-DE\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jre7\bin\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Defender\it-IT\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\it-IT\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png toweqsyjejbl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png toweqsyjejbl.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\it-IT\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png toweqsyjejbl.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js toweqsyjejbl.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\Recovery+cnfuw.html toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Windows NT\Recovery+cnfuw.txt toweqsyjejbl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\Recovery+cnfuw.png toweqsyjejbl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png toweqsyjejbl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt toweqsyjejbl.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\toweqsyjejbl.exe VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe File opened for modification C:\Windows\toweqsyjejbl.exe VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14750C21-271E-11EF-9371-CAFA5A0A62FD} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000737aab2a9b06374bb1c05038318e8c5a00000000020000000000106600000001000020000000e4cc2af5fcc5677fd8fbe3bb29f5b30b873ac086390866c62a0bf63421bfaf7b000000000e80000000020000200000002b9f1d307baa0f502f34b342d81f64c250eff76e95b588444443f2d0b42e88432000000087c7cfcf0f6a99af6072e46478caec1b846b027861138b9984d1aed08e4a4765400000007ff69ccc6aa71adf98c5b14163629f9d3bb7ff47431834ea835005742fbeffacf1ebbbe21a875a09f8302eba488725ab8f8f458c836d6da3e118e3415453e20f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000737aab2a9b06374bb1c05038318e8c5a000000000200000000001066000000010000200000009933e0f66bd89277d8e65d978fc89f1e4329f25802e7c769d653f3c4c0ca4b19000000000e80000000020000200000003db9ffdf4c0988dab75a618b7d8097b44cc7ca592a0d23516a089978b8b0a55c90000000c28b520cd49d96b607d3417720e6e03d9ef7c18ab78661d9d4d687a2b025f5785ec5fe1cdfcbe76be2e83a69d2d6498da8fb0b43640a0e77d8767d6d909d8b4a7c3bc34e35589efc7c121f1c9f548dc53f3e271b7b72a5c477c22e45bd9126928b4eaf605e60bcedad891baffee690bfe99f511e00bd61c80a4a73d25b624e95f881ead9e0febb39a59673dabbfdfea3400000002a57345c7115296fce917ead788d2dbcbe3a825ce1eb6a02cdaa656458794e99b70b5b43d1102ee7628d3ea1e8dc63bdb887c176fa5e68a75362e593b9857669 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1023eae82abbda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2040 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe 1580 toweqsyjejbl.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe Token: SeDebugPrivilege 1580 toweqsyjejbl.exe Token: SeIncreaseQuotaPrivilege 2300 WMIC.exe Token: SeSecurityPrivilege 2300 WMIC.exe Token: SeTakeOwnershipPrivilege 2300 WMIC.exe Token: SeLoadDriverPrivilege 2300 WMIC.exe Token: SeSystemProfilePrivilege 2300 WMIC.exe Token: SeSystemtimePrivilege 2300 WMIC.exe Token: SeProfSingleProcessPrivilege 2300 WMIC.exe Token: SeIncBasePriorityPrivilege 2300 WMIC.exe Token: SeCreatePagefilePrivilege 2300 WMIC.exe Token: SeBackupPrivilege 2300 WMIC.exe Token: SeRestorePrivilege 2300 WMIC.exe Token: SeShutdownPrivilege 2300 WMIC.exe Token: SeDebugPrivilege 2300 WMIC.exe Token: SeSystemEnvironmentPrivilege 2300 WMIC.exe Token: SeRemoteShutdownPrivilege 2300 WMIC.exe Token: SeUndockPrivilege 2300 WMIC.exe Token: SeManageVolumePrivilege 2300 WMIC.exe Token: 33 2300 WMIC.exe Token: 34 2300 WMIC.exe Token: 35 2300 WMIC.exe Token: SeIncreaseQuotaPrivilege 2300 WMIC.exe Token: SeSecurityPrivilege 2300 WMIC.exe Token: SeTakeOwnershipPrivilege 2300 WMIC.exe Token: SeLoadDriverPrivilege 2300 WMIC.exe Token: SeSystemProfilePrivilege 2300 WMIC.exe Token: SeSystemtimePrivilege 2300 WMIC.exe Token: SeProfSingleProcessPrivilege 2300 WMIC.exe Token: SeIncBasePriorityPrivilege 2300 WMIC.exe Token: SeCreatePagefilePrivilege 2300 WMIC.exe Token: SeBackupPrivilege 2300 WMIC.exe Token: SeRestorePrivilege 2300 WMIC.exe Token: SeShutdownPrivilege 2300 WMIC.exe Token: SeDebugPrivilege 2300 WMIC.exe Token: SeSystemEnvironmentPrivilege 2300 WMIC.exe Token: SeRemoteShutdownPrivilege 2300 WMIC.exe Token: SeUndockPrivilege 2300 WMIC.exe Token: SeManageVolumePrivilege 2300 WMIC.exe Token: 33 2300 WMIC.exe Token: 34 2300 WMIC.exe Token: 35 2300 WMIC.exe Token: SeBackupPrivilege 2796 vssvc.exe Token: SeRestorePrivilege 2796 vssvc.exe Token: SeAuditPrivilege 2796 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1664 iexplore.exe 1936 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 2396 toweqsyjejbl.exe 1664 iexplore.exe 1664 iexplore.exe 2464 IEXPLORE.EXE 2464 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2100 wrote to memory of 2840 2100 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 28 PID 2840 wrote to memory of 2396 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 29 PID 2840 wrote to memory of 2396 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 29 PID 2840 wrote to memory of 2396 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 29 PID 2840 wrote to memory of 2396 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 29 PID 2840 wrote to memory of 2332 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 30 PID 2840 wrote to memory of 2332 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 30 PID 2840 wrote to memory of 2332 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 30 PID 2840 wrote to memory of 2332 2840 VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe 30 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 2396 wrote to memory of 1580 2396 toweqsyjejbl.exe 34 PID 1580 wrote to memory of 2300 1580 toweqsyjejbl.exe 35 PID 1580 wrote to memory of 2300 1580 toweqsyjejbl.exe 35 PID 1580 wrote to memory of 2300 1580 toweqsyjejbl.exe 35 PID 1580 wrote to memory of 2300 1580 toweqsyjejbl.exe 35 PID 1580 wrote to memory of 2040 1580 toweqsyjejbl.exe 44 PID 1580 wrote to memory of 2040 1580 toweqsyjejbl.exe 44 PID 1580 wrote to memory of 2040 1580 toweqsyjejbl.exe 44 PID 1580 wrote to memory of 2040 1580 toweqsyjejbl.exe 44 PID 1580 wrote to memory of 1664 1580 toweqsyjejbl.exe 45 PID 1580 wrote to memory of 1664 1580 toweqsyjejbl.exe 45 PID 1580 wrote to memory of 1664 1580 toweqsyjejbl.exe 45 PID 1580 wrote to memory of 1664 1580 toweqsyjejbl.exe 45 PID 1664 wrote to memory of 2464 1664 iexplore.exe 47 PID 1664 wrote to memory of 2464 1664 iexplore.exe 47 PID 1664 wrote to memory of 2464 1664 iexplore.exe 47 PID 1664 wrote to memory of 2464 1664 iexplore.exe 47 PID 1580 wrote to memory of 2136 1580 toweqsyjejbl.exe 49 PID 1580 wrote to memory of 2136 1580 toweqsyjejbl.exe 49 PID 1580 wrote to memory of 2136 1580 toweqsyjejbl.exe 49 PID 1580 wrote to memory of 2136 1580 toweqsyjejbl.exe 49 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System toweqsyjejbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" toweqsyjejbl.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\toweqsyjejbl.exeC:\Windows\toweqsyjejbl.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\toweqsyjejbl.exeC:\Windows\toweqsyjejbl.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1580 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
PID:2040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TOWEQS~1.EXE5⤵PID:2136
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
- Deletes itself
PID:2332
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50027bbf153ca14d8bebb4aae349fe33c
SHA10b08c29ccf19b71220dc5de721c645270082bdc3
SHA2565841a046ca05242c725458786f5fcb0528609c24dc6151dd9ab6a12436729d45
SHA5125abdae0b3dc82ac088d7b55f7de4049f407b0af899d6d13e4f7ff58e8e5a42a5ca2563a8c5a72e9a1e63302510194bb188adbff05c4ad770e329c0e42056b9c2
-
Filesize
68KB
MD590e2392070f0962e12f9daedbc536a42
SHA1489e504e8f2b0fd5c7302048c44903ae9aff1dd6
SHA256d172adbd4a983bc10f72264c34e0b34adb08df8f10575d171fc595f6339ccef3
SHA51280f75f03d8c14ff4417d2927f89fcbfb21c12eefe82a22f5d75fee8d5967997dcc507329bd1738fcdd3d408c9864051556341918a1a24413a7e64ee1e1a5ad5f
-
Filesize
2KB
MD55791ee490b1a1923296fabb526ce5f49
SHA14887034b550d0e0897d9994dc438b4a9de1af72f
SHA2560a6763933988ed9769a35b443bb07c25f9d51780f1743a3536c37bc6d6521539
SHA5125f23190c31a587b1577985629bf5c293f0166482fdd9e0275d56d35fd3be68ee4d7201ddb74129d63c3dbe6fc60d5d6f9d8952a40ea14d1f8c172f0bdbfd1f01
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5fc0f2eb6b563dfe998c13cdd458869ad
SHA13633f827fca2182b9de863548d60e7d52f0952b8
SHA256e394dfbf721029c59f9f9c194a4b48259c9e46254c20b58767ede059406ffdba
SHA512a7a889b8f4f5386f2a18457ffebf1a5dfd7268b21ab34cc69674450d5f483e3ba491933ab881f5f3bfd4e6e0bd72f924ec13155360f3bdee160601630a82177b
-
Filesize
109KB
MD5adea1563899592740c3af98d03ee939a
SHA14d485b031a01cee60b931e60fbab00ae6424b505
SHA25639f3613793a8644db8a19d92c0896e27d6ba3c1247e222d57f6bd388ff60084f
SHA51245ba8ea94c1dcb439fe7aa5d96d43accc92ab390be22fb17cc2f49ad346dcdd28b149cb4700e0590b2caf8776ac214d4e2f306c0b91b916d5a34bcc97333dc06
-
Filesize
173KB
MD58c10c247840fa74b728e65f368b5b2c6
SHA1ecadf9602752c553a71d23a5491df68a71d69a79
SHA2566fa8bd34c410fa1d6df67aa12f15f36bce15912e96d102a24a1d0f9848bdc5b6
SHA512b5749073f2b49b01493a8b7ee2115aac95e6bd4d9dc01f4bb9580c76bff9651eff9a0bc74d967f22053529690f34a71769f69003b22d23ac9f1c168df889e34e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598ffe04c9ea11ad4eedd30d1dbc84df0
SHA14420faa049ad5f61e7908a83d3499b7b86a7e8f6
SHA2568adeb9620b25bd7329d8f759417d856b4b6f31847927d49d2caaad27427b0c7e
SHA5122e8ec8880dd956bda206b14473c885d2851d961173f38b9d33e8865e3fbe2ad8b42949b9a32ea443812a844054367c1c5bc60b58438d57e95815ef77db1b372f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e8a8eaf7138725ad25ea36f485a7bf0
SHA1ac2b121f094d95ce73f92a90f924b9364478d4dd
SHA256816c597936ee406d8826472f4fb5ce4a6b16dac9d30c28e27d93ff6f268d1362
SHA51281ce06ac582a5bab9c61614ba12270126ea031981be99d6ec9d5f970ce964fa6635ad095e9bcb17d2aabc324f6843698cd861ac833d7ebdaa608bb4547d6683c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ffb233744c5ce454829b07a6f2639d1
SHA1f163286f76bdeb5bdcc47b6c1b2bbc133aa9a113
SHA2565d3b723a77885b9a68613895ee3000240a279fb0afaeb12727e80ed7bf01f7ed
SHA512aba28d891c9ce96f73d6c60b59e0be8f678b3b9fa1e7bbc6664a20fba6ddd13098ec4c153443181621fc100ecb58538280f661d983e70063a4b52d3f289e797f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD505ab4667dcb7c3eb7b79ecc49f6916c4
SHA1a43ce521f266a7074deebf2ac52543efacd55ad5
SHA2569f79e995774678fc1406ce2cc6a87d5421a032acf8e4645ba1181b2d02b2ae56
SHA5125eb85eec79c98ab1e690f3c946a55224ab8044d51d1b8ff31fd383362b1bc900c17ff4bea4cbd5c6d9a948102d7f86dbcde2325f4bebcc8479e6a051179e234f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff00be4b49f68a8b2f0c1682d8aa990d
SHA1139f0d506e58099888262ef42e5a98df1c641250
SHA25680244b4809c8911ae22ff9eb94b7f23588b25735e55bc530a013b4c932418958
SHA512e9a76b57f1611f8d0978194c9617f6c54a974cbeae38022527d831968976e668d054034641232932c71c9b1b84c87a2f62c369efa1098f3a9c7adbd0aad23ffb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb5bd938f9a6f127aeed70c90b575f59
SHA1126b2ae976ba635aaf48fa6a9fe0be62687cd536
SHA2569f8e1a942128df45ffb7dba745a7740185e67337700ad283e41c9154f8d690bf
SHA5124401d9dec92e813745464042080e927ba14a3109d232a2516ab73344f16c382d6511acf05842d20aceb1859b71fd4cb0e1e4c8c47c8da78d68b3712fabf992f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5086a2ec0f153805d35cac6ca583aa79e
SHA190997f38a3058f53fce9fa133226389eb7c58c70
SHA256fbeff7d1657da0ca4b30a9ee17a42c4723fbae71f9eca1a5bd426739fbac0449
SHA5129cfb4b6973552f8d4b0356b4dd99bfea79bd27e7799987991a617e016d9bd8683f9154dc8f131c6f5847c2e2cb7c149f8fc14341d67058d233d6af144025a6b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fac01d590db44b19d2fd0e27c68d035
SHA167766520edad996112f7d67e606061fa4a56c05d
SHA256558fdd57fa412215611a16162ae90333958f2d150ef42609482f6e9b48fa76c2
SHA512142e7de523e9e620a8501fcf3ce9a8651e8a53da0e70fa29ec5b2fdfcf34dec7fb0941d3031f7f4a3e3f5d7e9f311a88fb9bd03bd612fd0b3a8fbf1f9c2c6143
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5adf5a209985b9054687a5a86b3d22085
SHA1d747b97d04d005866a55fc63dee2a32195d8e403
SHA2566042c2562a1b652c3e1ff06c2e752aec5a2b717b65c42298d3b08dd8938512a8
SHA512a89bfc81383b9b5abe29ff181d004d867872470ab66e1f5d169695d7f3fa6352ea2affede108b64ae88082d5da6475a2d4d5ad677cdc9a135f3a2160a078baa0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
368KB
MD55885d072fb73bdd355e85b67bcde3bfd
SHA1538b93b18131e4d9de79f87f6b156c2d46895045
SHA256d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348
SHA5127da4dbbb0c98cd2ad56ffe28a23ed67e66583a0822e0e16aadfa102447d7a22acbd9e526fc9a9ee3ecae68389b02e12347182a64829cd762559ed083ee94882e