Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
270s -
max time network
279s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
Tournament_Fixer/AdditionalRuntimes/jsr.exe
-
Size
156KB
-
MD5
3546548be0b0940c52ec881d48404818
-
SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c
-
SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a
-
SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838
-
SSDEEP
3072:54aDWLMGZvucWE8J05yc8MG13TaSNofLt/64e:5niMG1uXE865389Mxo
Malware Config
Signatures
-
Deletes NTFS Change Journal 2 TTPs 3 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 2668 fsutil.exe 1404 fsutil.exe 1368 fsutil.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini jsr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 60 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini jsr.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Music\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini jsr.exe File opened for modification C:\Users\Public\Videos\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini jsr.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini jsr.exe File opened for modification C:\Users\Public\Desktop\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini jsr.exe File opened for modification C:\Users\Public\Music\desktop.ini jsr.exe File opened for modification C:\Users\Public\Downloads\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Links\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Documents\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Searches\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini jsr.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Videos\desktop.ini jsr.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini jsr.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini jsr.exe File opened for modification C:\Users\Public\Documents\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini jsr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini jsr.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini jsr.exe File opened for modification C:\Users\Public\Pictures\desktop.ini jsr.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: fsutil.exe File opened (read-only) \??\D: fsutil.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\spp\store jsr.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\System32\restore\MachineGuid.txt jsr.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf jsr.exe File opened for modification C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf jsr.exe File opened for modification C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf jsr.exe File opened for modification C:\Windows\Prefetch\ResPriHMStaticDb.ebd jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf jsr.exe File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATESETUP_X86_-A43309D3.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf jsr.exe File opened for modification C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf jsr.exe File opened for modification C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf jsr.exe File opened for modification C:\Windows\Prefetch\AgGlGlobalHistory.db jsr.exe File opened for modification C:\Windows\Prefetch\DISMHOST.EXE-C4BB17E2.pf jsr.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf jsr.exe File opened for modification C:\Windows\INF\setupapi.setup.log jsr.exe File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-E30816F0.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf jsr.exe File opened for modification C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf jsr.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf jsr.exe File opened for modification C:\Windows\Prefetch\ReadyBoot jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf jsr.exe File opened for modification C:\Windows\Prefetch\VERCLSID.EXE-7C52E31C.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf jsr.exe File opened for modification C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf jsr.exe File opened for modification C:\Windows\Prefetch\AgAppLaunch.db jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf jsr.exe File opened for modification C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf jsr.exe File opened for modification C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-96A7E1CF.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-56E309E9.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf jsr.exe File opened for modification C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf jsr.exe File opened for modification C:\Windows\Prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-BC366267.pf jsr.exe File opened for modification C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf jsr.exe File opened for modification C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf jsr.exe File opened for modification C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf jsr.exe File opened for modification C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf jsr.exe File opened for modification C:\Windows\Prefetch\AgRobust.db jsr.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf jsr.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf jsr.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf jsr.exe File opened for modification C:\Windows\Prefetch\AgGlFgAppHistory.db jsr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 jsr.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "337e3303-dfd9a03a-a" jsr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral jsr.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral jsr.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral jsr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 jsr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier jsr.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3624 vssadmin.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = a01605f6d93e56e9 jsr.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2272 jsr.exe 2272 jsr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2272 jsr.exe Token: SeBackupPrivilege 4788 vssvc.exe Token: SeRestorePrivilege 4788 vssvc.exe Token: SeAuditPrivilege 4788 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 4988 svchost.exe Token: SeIncreaseQuotaPrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4988 svchost.exe Token: SeTakeOwnershipPrivilege 4988 svchost.exe Token: SeLoadDriverPrivilege 4988 svchost.exe Token: SeSystemtimePrivilege 4988 svchost.exe Token: SeBackupPrivilege 4988 svchost.exe Token: SeRestorePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeSystemEnvironmentPrivilege 4988 svchost.exe Token: SeUndockPrivilege 4988 svchost.exe Token: SeManageVolumePrivilege 4988 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4988 svchost.exe Token: SeIncreaseQuotaPrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4988 svchost.exe Token: SeTakeOwnershipPrivilege 4988 svchost.exe Token: SeLoadDriverPrivilege 4988 svchost.exe Token: SeSystemtimePrivilege 4988 svchost.exe Token: SeBackupPrivilege 4988 svchost.exe Token: SeRestorePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeSystemEnvironmentPrivilege 4988 svchost.exe Token: SeUndockPrivilege 4988 svchost.exe Token: SeManageVolumePrivilege 4988 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4988 svchost.exe Token: SeIncreaseQuotaPrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4988 svchost.exe Token: SeTakeOwnershipPrivilege 4988 svchost.exe Token: SeLoadDriverPrivilege 4988 svchost.exe Token: SeSystemtimePrivilege 4988 svchost.exe Token: SeBackupPrivilege 4988 svchost.exe Token: SeRestorePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeSystemEnvironmentPrivilege 4988 svchost.exe Token: SeUndockPrivilege 4988 svchost.exe Token: SeManageVolumePrivilege 4988 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4988 svchost.exe Token: SeIncreaseQuotaPrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4988 svchost.exe Token: SeTakeOwnershipPrivilege 4988 svchost.exe Token: SeLoadDriverPrivilege 4988 svchost.exe Token: SeSystemtimePrivilege 4988 svchost.exe Token: SeBackupPrivilege 4988 svchost.exe Token: SeRestorePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeSystemEnvironmentPrivilege 4988 svchost.exe Token: SeUndockPrivilege 4988 svchost.exe Token: SeManageVolumePrivilege 4988 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4988 svchost.exe Token: SeIncreaseQuotaPrivilege 4988 svchost.exe Token: SeSecurityPrivilege 4988 svchost.exe Token: SeTakeOwnershipPrivilege 4988 svchost.exe Token: SeLoadDriverPrivilege 4988 svchost.exe Token: SeSystemtimePrivilege 4988 svchost.exe Token: SeBackupPrivilege 4988 svchost.exe Token: SeRestorePrivilege 4988 svchost.exe Token: SeShutdownPrivilege 4988 svchost.exe Token: SeSystemEnvironmentPrivilege 4988 svchost.exe Token: SeUndockPrivilege 4988 svchost.exe Token: SeManageVolumePrivilege 4988 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2272 wrote to memory of 3584 2272 jsr.exe 93 PID 2272 wrote to memory of 3584 2272 jsr.exe 93 PID 3584 wrote to memory of 2668 3584 cmd.exe 94 PID 3584 wrote to memory of 2668 3584 cmd.exe 94 PID 2272 wrote to memory of 3264 2272 jsr.exe 95 PID 2272 wrote to memory of 3264 2272 jsr.exe 95 PID 3264 wrote to memory of 1404 3264 cmd.exe 96 PID 3264 wrote to memory of 1404 3264 cmd.exe 96 PID 2272 wrote to memory of 3740 2272 jsr.exe 97 PID 2272 wrote to memory of 3740 2272 jsr.exe 97 PID 3740 wrote to memory of 1368 3740 cmd.exe 98 PID 3740 wrote to memory of 1368 3740 cmd.exe 98 PID 2272 wrote to memory of 836 2272 jsr.exe 99 PID 2272 wrote to memory of 836 2272 jsr.exe 99 PID 836 wrote to memory of 3624 836 cmd.exe 100 PID 836 wrote to memory of 3624 836 cmd.exe 100 PID 2272 wrote to memory of 2672 2272 jsr.exe 103 PID 2272 wrote to memory of 2672 2272 jsr.exe 103 PID 2672 wrote to memory of 3064 2672 cmd.exe 104 PID 2672 wrote to memory of 3064 2672 cmd.exe 104 PID 3064 wrote to memory of 4136 3064 net.exe 105 PID 3064 wrote to memory of 4136 3064 net.exe 105 PID 2272 wrote to memory of 840 2272 jsr.exe 108 PID 2272 wrote to memory of 840 2272 jsr.exe 108 PID 4988 wrote to memory of 988 4988 svchost.exe 127 PID 4988 wrote to memory of 988 4988 svchost.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\jsr.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\fsutil.exefsutil usn deletejournal /d C:3⤵
- Deletes NTFS Change Journal
PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:2⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\fsutil.exefsutil usn deletejournal /d D:3⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:2⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\fsutil.exefsutil usn deletejournal /d E:3⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /Y2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\net.exenet stop winmgmt /Y3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵PID:4136
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵PID:840
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:988
-