agenda | af9919d2097e7bb4daf6456906c44b36421ad0c108d58ed9525b0a5eda468b8c

Analysis

max time kernel
126s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
Size

7.7MB
MD5

a7ab0969bf6641cd0c7228ae95f6d217
SHA1

002971b6d178698bf7930b5b89c201750d80a07e
SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512

7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
SSDEEP

49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE

Score

10^/10

agenda defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Family

agenda

Attributes

company_id
OnHnnBvUej
note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21

rsa_pubkey.plain

Extracted

Path

C:\$Recycle.Bin\OnHnnBvUej-RECOVER-README.txt

Family

agenda

Ransom Note

-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (158) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
4404	svchost.exe
3544	enc.exe
3680	enc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe"	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	enc.exe
File opened (read-only)	\??\H:	enc.exe
File opened (read-only)	\??\O:	enc.exe
File opened (read-only)	\??\S:	enc.exe
File opened (read-only)	\??\V:	enc.exe
File opened (read-only)	\??\Z:	enc.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\L:	enc.exe
File opened (read-only)	\??\Q:	enc.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\G:	enc.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\A:	enc.exe
File opened (read-only)	\??\E:	enc.exe
File opened (read-only)	\??\I:	enc.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\W:	enc.exe
File opened (read-only)	\??\J:	enc.exe
File opened (read-only)	\??\P:	enc.exe
File opened (read-only)	\??\K:	enc.exe
File opened (read-only)	\??\T:	enc.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\M:	enc.exe
File opened (read-only)	\??\N:	enc.exe
File opened (read-only)	\??\R:	enc.exe
File opened (read-only)	\??\Y:	enc.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\X:	enc.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\U:	enc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\OnHnnBvUej-RECOVER-README.txt	enc.exe
File created	C:\Program Files (x86)\OnHnnBvUej-RECOVER-README.txt	enc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\OnHnnBvUej-RECOVER-README.txt	enc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4560	vssadmin.exe
2988	vssadmin.exe
536	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	enc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	enc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	enc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	enc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3888	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
Token: SeBackupPrivilege	3264	vssvc.exe
Token: SeRestorePrivilege	3264	vssvc.exe
Token: SeAuditPrivilege	3264	vssvc.exe
Token: SeDebugPrivilege	3544	enc.exe
Token: SeDebugPrivilege	3680	enc.exe
Token: SeAuditPrivilege	2200	svchost.exe
Token: SeAuditPrivilege	2200	svchost.exe
Token: SeDebugPrivilege	3888	taskmgr.exe
Token: SeSystemProfilePrivilege	3888	taskmgr.exe
Token: SeCreateGlobalPrivilege	3888	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4856	2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe	81
PID 2424 wrote to memory of 4856	2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe	81
PID 4856 wrote to memory of 4560	4856	cmd.exe	83
PID 4856 wrote to memory of 4560	4856	cmd.exe	83
PID 2424 wrote to memory of 4404	2424	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe	62
PID 4404 wrote to memory of 3680	4404	svchost.exe	84
PID 4404 wrote to memory of 3680	4404	svchost.exe	84
PID 4404 wrote to memory of 3544	4404	svchost.exe	85
PID 4404 wrote to memory of 3544	4404	svchost.exe	85
PID 3544 wrote to memory of 2844	3544	enc.exe	88
PID 3544 wrote to memory of 2844	3544	enc.exe	88
PID 3680 wrote to memory of 2096	3680	enc.exe	90
PID 3680 wrote to memory of 2096	3680	enc.exe	90
PID 2844 wrote to memory of 2988	2844	cmd.exe	92
PID 2844 wrote to memory of 2988	2844	cmd.exe	92
PID 2096 wrote to memory of 536	2096	cmd.exe	93
PID 2096 wrote to memory of 536	2096	cmd.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:536
- C:\Users\Public\enc.exe
  "C:\Users\Public\enc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2988

C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
"C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\OnHnnBvUej-RECOVER-README.txt
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\OnHnnBvUej-RECOVER-README.txt

Filesize
1KB

MD5
3a29ccf8fcbac5d1797999d3699375b1

SHA1
9993778053593d2704992f9e9cd7b79f4bd4a244

SHA256
534b085697b8406738b3281c1ca067cc90290ca8d44d2608eecdf4c0626c7e16

SHA512
99c1c76acd7e6ba366505000a21dc77400cb5531203f658d311d4b3926db90f331b870bb4d0bd6cd7731a41657b97d62feedb6fab74cee602c8fd91cc1d73600

Download Submit
C:\Users\Public\enc.exe

Filesize
7.7MB

MD5
a7ab0969bf6641cd0c7228ae95f6d217

SHA1
002971b6d178698bf7930b5b89c201750d80a07e

SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

Download Submit
C:\Users\Public\pwndll.dll

Filesize
91KB

MD5
e966c38c5b1a05d0bd86eb0edc1d3b84

SHA1
f10443e13b82c93f203c0428a357205aa55f2dee

SHA256
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

SHA512
6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

Download Submit
memory/3888-20-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-21-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-11-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-19-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-18-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-16-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-17-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-22-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-12-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x00000284F33E0000-0x00000284F33E1000-memory.dmp

Filesize
4KB

Download