d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
Size

368KB
MD5

5885d072fb73bdd355e85b67bcde3bfd
SHA1

538b93b18131e4d9de79f87f6b156c2d46895045
SHA256

d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348
SHA512

7da4dbbb0c98cd2ad56ffe28a23ed67e66583a0822e0e16aadfa102447d7a22acbd9e526fc9a9ee3ecae68389b02e12347182a64829cd762559ed083ee94882e
SSDEEP

6144:iQNUdPR6oncUtPLJoJi8ju8FQNXsyR36GeHba2grj9F4SENppTUHtnvR3aF3J9PQ:XNUdc6wA8P2cyF6T7a2gH9F4dzhUl6rP

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+mmplo.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/C7FAFF798E63542 2. http://b4youfred5485jgsa3453f.italazudda.com/C7FAFF798E63542 3. http://5rport45vcdef345adfkksawe.bematvocal.at/C7FAFF798E63542 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/C7FAFF798E63542 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/C7FAFF798E63542 http://b4youfred5485jgsa3453f.italazudda.com/C7FAFF798E63542 http://5rport45vcdef345adfkksawe.bematvocal.at/C7FAFF798E63542 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/C7FAFF798E63542 *-*-* Your personal identification ID: C7FAFF798E63542

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/C7FAFF798E63542

http://b4youfred5485jgsa3453f.italazudda.com/C7FAFF798E63542

http://5rport45vcdef345adfkksawe.bematvocal.at/C7FAFF798E63542

http://fwgrhsao3aoml7ej.onion/C7FAFF798E63542

http://fwgrhsao3aoml7ej.ONION/C7FAFF798E63542

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (886) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	rdhxrehcgmur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mmplo.png	rdhxrehcgmur.exe

Executes dropped EXE 2 IoCs

pid	Process
1608	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orefqwbbknop = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\rdhxrehcgmur.exe\""	rdhxrehcgmur.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1608 set thread context of 3104	1608	rdhxrehcgmur.exe	106

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\STARTUP\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_124.0.2478.80_neutral__8wekyb3d8bbwe\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\7-Zip\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-200.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-100.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Common Files\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\Settings.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircleHover.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-lightunplated.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-200.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoLeft.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-150.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-125.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-20.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-400.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-100.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-400_contrast-white.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\View3d\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+mmplo.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\web_edge_permissions.png	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\Recovery+mmplo.txt	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\Recovery+mmplo.html	rdhxrehcgmur.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6839F048-046C-448E-A7D4-484986338EB4\root\vfs\Windows\assembly\Recovery+mmplo.html	rdhxrehcgmur.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rdhxrehcgmur.exe	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
File created	C:\Windows\rdhxrehcgmur.exe	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	rdhxrehcgmur.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3552	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe
3104	rdhxrehcgmur.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
Token: SeDebugPrivilege	3104	rdhxrehcgmur.exe
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeSecurityPrivilege	932	WMIC.exe
Token: SeTakeOwnershipPrivilege	932	WMIC.exe
Token: SeLoadDriverPrivilege	932	WMIC.exe
Token: SeSystemProfilePrivilege	932	WMIC.exe
Token: SeSystemtimePrivilege	932	WMIC.exe
Token: SeProfSingleProcessPrivilege	932	WMIC.exe
Token: SeIncBasePriorityPrivilege	932	WMIC.exe
Token: SeCreatePagefilePrivilege	932	WMIC.exe
Token: SeBackupPrivilege	932	WMIC.exe
Token: SeRestorePrivilege	932	WMIC.exe
Token: SeShutdownPrivilege	932	WMIC.exe
Token: SeDebugPrivilege	932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	932	WMIC.exe
Token: SeRemoteShutdownPrivilege	932	WMIC.exe
Token: SeUndockPrivilege	932	WMIC.exe
Token: SeManageVolumePrivilege	932	WMIC.exe
Token: 33	932	WMIC.exe
Token: 34	932	WMIC.exe
Token: 35	932	WMIC.exe
Token: 36	932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeSecurityPrivilege	932	WMIC.exe
Token: SeTakeOwnershipPrivilege	932	WMIC.exe
Token: SeLoadDriverPrivilege	932	WMIC.exe
Token: SeSystemProfilePrivilege	932	WMIC.exe
Token: SeSystemtimePrivilege	932	WMIC.exe
Token: SeProfSingleProcessPrivilege	932	WMIC.exe
Token: SeIncBasePriorityPrivilege	932	WMIC.exe
Token: SeCreatePagefilePrivilege	932	WMIC.exe
Token: SeBackupPrivilege	932	WMIC.exe
Token: SeRestorePrivilege	932	WMIC.exe
Token: SeShutdownPrivilege	932	WMIC.exe
Token: SeDebugPrivilege	932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	932	WMIC.exe
Token: SeRemoteShutdownPrivilege	932	WMIC.exe
Token: SeUndockPrivilege	932	WMIC.exe
Token: SeManageVolumePrivilege	932	WMIC.exe
Token: 33	932	WMIC.exe
Token: 34	932	WMIC.exe
Token: 35	932	WMIC.exe
Token: 36	932	WMIC.exe
Token: SeBackupPrivilege	2080	vssvc.exe
Token: SeRestorePrivilege	2080	vssvc.exe
Token: SeAuditPrivilege	2080	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
1608	rdhxrehcgmur.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 1300 wrote to memory of 3412	1300	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	102
PID 3412 wrote to memory of 1608	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	103
PID 3412 wrote to memory of 1608	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	103
PID 3412 wrote to memory of 1608	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	103
PID 3412 wrote to memory of 4316	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	104
PID 3412 wrote to memory of 4316	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	104
PID 3412 wrote to memory of 4316	3412	VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe	104
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 1608 wrote to memory of 3104	1608	rdhxrehcgmur.exe	106
PID 3104 wrote to memory of 932	3104	rdhxrehcgmur.exe	107
PID 3104 wrote to memory of 932	3104	rdhxrehcgmur.exe	107
PID 3104 wrote to memory of 3552	3104	rdhxrehcgmur.exe	112
PID 3104 wrote to memory of 3552	3104	rdhxrehcgmur.exe	112
PID 3104 wrote to memory of 3552	3104	rdhxrehcgmur.exe	112
PID 3104 wrote to memory of 4664	3104	rdhxrehcgmur.exe	113
PID 3104 wrote to memory of 4664	3104	rdhxrehcgmur.exe	113
PID 3104 wrote to memory of 4812	3104	rdhxrehcgmur.exe	119
PID 3104 wrote to memory of 4812	3104	rdhxrehcgmur.exe	119
PID 3104 wrote to memory of 4812	3104	rdhxrehcgmur.exe	119

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rdhxrehcgmur.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	rdhxrehcgmur.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\rdhxrehcgmur.exe
    C:\Windows\rdhxrehcgmur.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\rdhxrehcgmur.exe
      C:\Windows\rdhxrehcgmur.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3104
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\RDHXRE~1.EXE
        5⤵
        
        PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
1⤵
PID:2168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4352,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:1
1⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4232,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:1
1⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=5148,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:1
1⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5292,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:8
1⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5428,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
1⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5440,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:1
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+mmplo.html

Filesize
8KB

MD5
8e23d91340947ae2f20bc538d8a0060d

SHA1
df7ea948d9fc4ecaaa0a9982f2a4c05078ef6f58

SHA256
c2b446795448a82f0e046411668369658b29ea68444bd99cb62b20dd3cd07078

SHA512
82c64e09d031ec65706498675138b7a1f0502ac8050f3bcfbd90b8643f8d1ae3e143f4a948f977e0013ce765af1330b15b6198132257cd852cc20a08cc9dd9c5

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+mmplo.png

Filesize
69KB

MD5
a341eb945349143d438c2563f7aabcc9

SHA1
34cb1e7dbafc2d99d43b51116c2ddcb2cbad327c

SHA256
020d1c0bc64cb011ffa6b1c93ecf5826ab2b26a9034ce7ab2e20b12d253ef424

SHA512
055da6dd100758b56ca5592859d27f0d74f0e6ee41d517324e8027aad998a0739f36a15804c09b39f77af5101044437b8e4230d24cbcc7104d46c0b39fce02a2

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+mmplo.txt

Filesize
2KB

MD5
cb49d07df9bd4f827e28fe88a1ada169

SHA1
3430b7dc0d51e9ef227e0c29ae3d3b0ae20cbd65

SHA256
72735ebb3f35602d93747f68296bc7a19c27f01431148a797a090e326ee73f17

SHA512
4c553c15c90368ea3ef1f78723f8cb5b6aa73766bb4be0b9356d225d7e77047ea918a0cc3df377efece06569a7b83d12a186d205d5545b01599abe86732dac6f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
7e2714565b8cde030369c170231cca5f

SHA1
272d6defe5202356c74c945931a4e365ddd7d00a

SHA256
a4e987215eab9d8e89ef61c6b3323be06acf63f430ff4579533606f9abea787a

SHA512
28883708388cdcf8094a97b98f2c4e66d72654e75b9ed319cdf7d93b60a3340e525f7c2f5aa220de6fe11067c7008f80c0213867c1b8e8784ac26d13bb654982

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
72cdb678fdfe0450bd2c462a816202ad

SHA1
3d8924515fe4c8bcd950240bb3e8f65fb3a3f3c1

SHA256
abbdb5e9fa953cc8f812098a59aab65f7d1d6e9a4395f1e15f061f9925597fb5

SHA512
376775b3c695a318abbc5a0c1fda924628d56ca44dd16f434c3ad2bd460cdba1097da0b5246ee2bf4bfc2da7cf454a5e4cb9cef91ea41edef23e4045ca3e9d57

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
b457a5c44cf94aedcfb44d563d06d694

SHA1
86f4c3256f919515a176ad730b060a9f7449c088

SHA256
e1f15a04a0e835f299f41467a7e753f09fc9fe0aa4dce3b576a1f4688a4dd849

SHA512
db28230171576dc8ad73c3f6ab1747eceb4eb67f71c08ef4e8b9751d5ac1b7202f95fe6bfe290765e5ae0d6a760bba26d1926bc215a667c203a207a555c1d5b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449549740872.txt

Filesize
75KB

MD5
5dbffbfe8227bd739fc8538d76c743d6

SHA1
b54044cb6309930eaf824284cf172a72a9c02e1b

SHA256
963e81c1c6c586058acec11e3d4c7c69014983681a88792c54720b1d50fb5040

SHA512
f8359a077492c449832489324db7fcf39714b650c0780c2b8b8f001440e59d06805d4fdf2c2551d44e228aa85e0b7ffdebe0cd7ad4e11cbc6cd676851ad97495

Download Submit
C:\Windows\rdhxrehcgmur.exe

Filesize
368KB

MD5
5885d072fb73bdd355e85b67bcde3bfd

SHA1
538b93b18131e4d9de79f87f6b156c2d46895045

SHA256
d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348

SHA512
7da4dbbb0c98cd2ad56ffe28a23ed67e66583a0822e0e16aadfa102447d7a22acbd9e526fc9a9ee3ecae68389b02e12347182a64829cd762559ed083ee94882e

Download Submit
memory/1300-4-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/1300-0-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/1300-1-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

Filesize
12KB

Download
memory/1608-12-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1608-20-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/3104-26-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-6007-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-53-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-10903-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-10897-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-10890-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-10888-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-1722-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-3834-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3104-8667-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3412-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3412-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3412-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3412-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3412-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download