Analysis
-
max time kernel
74s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 10:48
Behavioral task
behavioral1
Sample
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe
Resource
win10v2004-20240704-en
General
-
Target
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe
-
Size
1.3MB
-
MD5
9e6c3801e0ac1c1fee4150e48777f3f6
-
SHA1
1e21dd960332e36051244fcc8180fa62a87d889d
-
SHA256
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263
-
SHA512
73f114f6a31e9a8267086b80c731c30a9c0808a775bdcf07b1fae439da79f789b4fdf2d1a0ef8906e8cd0139f85fc47bf7c76e4bf81753b4670c8cb777883845
-
SSDEEP
12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXz:HHRFfauvpPXnMKqJtfiOHmUd8QTHj
Malware Config
Extracted
C:\Users\Admin\!!!HOW_TO_DECRYPT!!!.mht
[email protected]<BR>[email protected]<BR>In
http-equiv=3D"X
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1320 bcdedit.exe 1092 bcdedit.exe -
Renames multiple (919) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 332 wbadmin.exe 1324 wbadmin.exe -
Drops file in Drivers directory 13 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\protocol 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\services.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\networks 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\networks.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\services 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Deletes itself 1 IoCs
pid Process 2264 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe\" e" 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Enumerates connected drives 3 TTPs 39 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\Z: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\N: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\T: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\V: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\P: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\Q: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\W: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\S: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\R: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\J: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\K: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\O: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\A: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\L: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\U: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\D: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\E: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\B: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\I: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\M: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\X: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\Y: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\F: 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened (read-only) \??\D: vssadmin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\LogFiles\Scm\20ffa017-5481-4f6b-92ea-adb623fbebf4.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\RegBack\SECURITY 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\COMPONENTS.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\cd2dc0a3-b028-415f-a3bd-e9d070a6982d 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\SOFTWARE 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\DEFAULT 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\SAM 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1740fc16-a4e6-4435-a5fa-5dd25b12902d.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\RegBack\SYSTEM 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\30658922-e1e4-458d-ae56-9f5b69ba66b5.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1740fc16-a4e6-4435-a5fa-5dd25b12902d 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\config\RegBack\SAM 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\System32\LogFiles\Scm\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\cd2dc0a3-b028-415f-a3bd-e9d070a6982d.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1740fc16-a4e6-4435-a5fa-5dd25b12902d.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Singapore 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Madrid 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Antigua 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Andorra 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\GMT.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Brunei 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Samara 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hovd 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Winnipeg 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\classlist.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th1 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_2 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb0 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_1 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb1 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_1 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_0 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\enwindow 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Panther\setupinfo 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb1 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Panther\setupinfo.1btc 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\dewindow 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th2 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb2 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_3 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_0 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb2 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th1 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th0 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th0 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_2 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\Panther\setupinfo.inprocess 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th2 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File created C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb0 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2988 vssadmin.exe 1960 vssadmin.exe 968 vssadmin.exe 2648 vssadmin.exe 2116 vssadmin.exe 2372 vssadmin.exe 2812 vssadmin.exe 1604 vssadmin.exe 1136 vssadmin.exe 1380 vssadmin.exe 772 vssadmin.exe 2280 vssadmin.exe 2728 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeBackupPrivilege 2840 vssvc.exe Token: SeRestorePrivilege 2840 vssvc.exe Token: SeAuditPrivilege 2840 vssvc.exe Token: SeIncreaseQuotaPrivilege 2368 wmic.exe Token: SeSecurityPrivilege 2368 wmic.exe Token: SeTakeOwnershipPrivilege 2368 wmic.exe Token: SeLoadDriverPrivilege 2368 wmic.exe Token: SeSystemProfilePrivilege 2368 wmic.exe Token: SeSystemtimePrivilege 2368 wmic.exe Token: SeProfSingleProcessPrivilege 2368 wmic.exe Token: SeIncBasePriorityPrivilege 2368 wmic.exe Token: SeCreatePagefilePrivilege 2368 wmic.exe Token: SeBackupPrivilege 2368 wmic.exe Token: SeRestorePrivilege 2368 wmic.exe Token: SeShutdownPrivilege 2368 wmic.exe Token: SeDebugPrivilege 2368 wmic.exe Token: SeSystemEnvironmentPrivilege 2368 wmic.exe Token: SeRemoteShutdownPrivilege 2368 wmic.exe Token: SeUndockPrivilege 2368 wmic.exe Token: SeManageVolumePrivilege 2368 wmic.exe Token: 33 2368 wmic.exe Token: 34 2368 wmic.exe Token: 35 2368 wmic.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2372 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 30 PID 1952 wrote to memory of 2372 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 30 PID 1952 wrote to memory of 2372 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 30 PID 1952 wrote to memory of 2812 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 35 PID 1952 wrote to memory of 2812 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 35 PID 1952 wrote to memory of 2812 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 35 PID 1952 wrote to memory of 2648 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 37 PID 1952 wrote to memory of 2648 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 37 PID 1952 wrote to memory of 2648 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 37 PID 1952 wrote to memory of 1604 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 39 PID 1952 wrote to memory of 1604 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 39 PID 1952 wrote to memory of 1604 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 39 PID 1952 wrote to memory of 1960 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 41 PID 1952 wrote to memory of 1960 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 41 PID 1952 wrote to memory of 1960 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 41 PID 1952 wrote to memory of 1136 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 43 PID 1952 wrote to memory of 1136 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 43 PID 1952 wrote to memory of 1136 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 43 PID 1952 wrote to memory of 2116 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 45 PID 1952 wrote to memory of 2116 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 45 PID 1952 wrote to memory of 2116 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 45 PID 1952 wrote to memory of 2280 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 47 PID 1952 wrote to memory of 2280 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 47 PID 1952 wrote to memory of 2280 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 47 PID 1952 wrote to memory of 2728 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 49 PID 1952 wrote to memory of 2728 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 49 PID 1952 wrote to memory of 2728 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 49 PID 1952 wrote to memory of 968 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 51 PID 1952 wrote to memory of 968 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 51 PID 1952 wrote to memory of 968 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 51 PID 1952 wrote to memory of 1380 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 53 PID 1952 wrote to memory of 1380 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 53 PID 1952 wrote to memory of 1380 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 53 PID 1952 wrote to memory of 772 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 55 PID 1952 wrote to memory of 772 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 55 PID 1952 wrote to memory of 772 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 55 PID 1952 wrote to memory of 2988 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 57 PID 1952 wrote to memory of 2988 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 57 PID 1952 wrote to memory of 2988 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 57 PID 1952 wrote to memory of 1320 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 59 PID 1952 wrote to memory of 1320 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 59 PID 1952 wrote to memory of 1320 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 59 PID 1952 wrote to memory of 1092 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 61 PID 1952 wrote to memory of 1092 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 61 PID 1952 wrote to memory of 1092 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 61 PID 1952 wrote to memory of 332 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 63 PID 1952 wrote to memory of 332 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 63 PID 1952 wrote to memory of 332 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 63 PID 1952 wrote to memory of 1324 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 65 PID 1952 wrote to memory of 1324 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 65 PID 1952 wrote to memory of 1324 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 65 PID 1952 wrote to memory of 2368 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 67 PID 1952 wrote to memory of 2368 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 67 PID 1952 wrote to memory of 2368 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 67 PID 1952 wrote to memory of 2264 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 70 PID 1952 wrote to memory of 2264 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 70 PID 1952 wrote to memory of 2264 1952 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe 70 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2372
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2812
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2648
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1604
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1960
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1136
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2116
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2280
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2728
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:968
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1380
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:772
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2988
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:1320
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1092
-
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:332
-
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1324
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\528502~1.EXE >> NUL2⤵
- Deletes itself
PID:2264
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5206a231b4f6aa7c56da16a500b53e5ff
SHA14e64d9d2ef6691a6490bba40e24308d03cd0d7bc
SHA25699c7c86c73a44882c3225bf6333b99c8a3620efffa76a659c339ea899bf96521
SHA51213d02410d9d16cfbfe3aabe388b98cffb4a6f25455c02e1d89be4568462dc963ad3a6664def0394081bfb10a5f01cacd57e20ccdac5111f5eeb21c8d4ed72b9b