8ff70b14c79a3030f28ecdc49bee79f7ee662c811c1dc9589ad9e37fdca38000

Resubmissions

14-07-2024 22:19

240714-18zkyavdkl 10

Analysis

max time kernel
33s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Size

156KB
MD5

827fd84e6c235dbb400442390a538441
SHA1

f88eafeeb71837534f32d7de483497d8d74fb279
SHA256

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea
SHA512

4e6df341e606cdc5ecafd02b7e9ba979502301e5e89aaecf604018d014019ffd6bd26b1380cb316ec1beb8f533df5125e75ec67d8760f7bcd90f883b72199f6b
SSDEEP

3072:1DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368yUTtc76PJCW:n5d/zugZqll3OUCuPJ

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\bMHeBJMks.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 0B4A03D462BADECE46F3FCA072814630 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

Renames multiple (165) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

BD35.tmp

pid	Process
1616	BD35.tmp

Executes dropped EXE 1 IoCs

Processes:

BD35.tmp

pid	Process
1616	BD35.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bMHeBJMks.bmp"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bMHeBJMks.bmp"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exeBD35.tmp

pid	Process
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp

Modifies Control Panel 2 IoCs

evasion

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop\WallpaperStyle = "10"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Modifies registry class 5 IoCs

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon\ = "C:\\ProgramData\\bMHeBJMks.ico"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bMHeBJMks\ = "bMHeBJMks"	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bMHeBJMks\DefaultIcon	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

pid	Process
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

BD35.tmp

pid	Process
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp
1616	BD35.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exevssvc.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeDebugPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: 36	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeImpersonatePrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeIncBasePriorityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeIncreaseQuotaPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: 33	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeManageVolumePrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeProfSingleProcessPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeRestorePrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSystemProfilePrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeTakeOwnershipPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeShutdownPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeDebugPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeSecurityPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
Token: SeBackupPrivilege	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe

description	pid	Process	procid_target
PID 632 wrote to memory of 1616	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	90
PID 632 wrote to memory of 1616	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	90
PID 632 wrote to memory of 1616	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	90
PID 632 wrote to memory of 1616	632	7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe
"C:\Users\Admin\AppData\Local\Temp\7de7ce42cde20847749fa5bc4048cf5cacec8c2bf49169d7d262ea38630640ea.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\ProgramData\BD35.tmp
  "C:\ProgramData\BD35.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\AAAAAAAAAAA

Filesize
129B

MD5
024ec71484ae15e2a02a5b24ec75ea3b

SHA1
0ce5c41e48057b6453d289aced9e8de366b66f49

SHA256
4283ae65e059a7411b7bb04e87b6ec82f8875999ab011940bde9c24ddcc68c6d

SHA512
bed691de2102b4fbda5b0ed4d87e46451e0665b9d76f173c4e323694c74d955fb41cc6dd2f476268c16fb0ff8b2c01d173571c8ffa9fe1b02edf48ef6142e7a9

Download Submit
C:\ProgramData\BD35.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
156KB

MD5
e65419014226e65f98102d110d63ba4c

SHA1
eb17e8c063bd4a9b3186088b218a1f2885ea0db4

SHA256
a1f8290fee59873bdc4a687f8371b47d7f75d07d2788def3e45e89b036d47ac1

SHA512
85a5bed226b07b13b6a0d786da639c65f74a4922a9f5b6e98ce0f4a98f23c9dbcaca78ab74aa7b141206abebe54dc68260663c4f938e4b07f8ea32dde830f1ee

Download Submit
C:\Users\bMHeBJMks.README.txt

Filesize
2KB

MD5
005a95dbc4ad692608da2a2a0fa13414

SHA1
cbf20bb2fc3bfd22cac73c31ed323051afc0c7f0

SHA256
54be18db123a8778bd214233dbf9543838ec6f14df568cad7317e46cf4cb14e0

SHA512
53afeb19ff5b4ce9156d2f9ba52439ebb00272aec2ded209b6aac06dd9e316d948622cb3f8942e1343553c4ee5f250c81a6ceace11d5af72a46790c625a2c2f7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1176886754-713327781-2233697964-1000\DDDDDDDDDDD

Filesize
129B

MD5
c9ece160775c34ec5c870abe59e5c3b5

SHA1
af02a29dc7ab7c443ebe0731724a5902ebffab87

SHA256
009446ba4e85b915a57f5dccaff1b995860d0635706f83dd16390a2cdbee21fa

SHA512
1687201cac3a4247707cafbff6719e85ccb4b607b8a88a6f32a8c471b27c681d2fd5534067c4c5f1383849529f98a5a8aa5a916e92a13cd069b3ec8febad7dda

Download Submit
memory/632-1-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/632-2-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/632-0-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/1616-323-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/1616-322-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/1616-321-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/1616-320-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/1616-319-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/1616-352-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/1616-353-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download