3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Analysis

max time kernel
1563s
max time network
1565s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Size

42KB
MD5

abb04a0418be9cc4618f393d7fc9d76b
SHA1

dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b
SHA256

56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659
SHA512

f7bce71f01ffae675a8b8a23a8f2e4d162ccefc349beadb84ffcca890dc68ed636acf4f7d694145c779125078f6634f30aed5f5651ee6c12dc4768f7c0a0f47b
SSDEEP

768:QO1oR/8VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDsHw67ZY23IWSjNV:QgS1FKnDtkuImsHw6V73ejNV

Score

10^/10

defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8307) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2700 wbadmin.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2616 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 iplogger.com
4 iplogger.com

pid	process
2700	wbadmin.exe

pid	process
2616	cmd.exe

flow	ioc
5	iplogger.com
4	iplogger.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BC6.tmp.bmp"	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

Drops file in Program Files directory 64 IoCs

Processes:

56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif.[1B58F677].[[email protected]].mkp	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\+README-WARNING+.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\+README-WARNING+.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif.[1B58F677].[[email protected]].mkp	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\+README-WARNING+.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188679.WMF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\+README-WARNING+.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\+README-WARNING+.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\+README-WARNING+.txt	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnssci.dll.mui	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10336_.GIF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2772 vssadmin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1912 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

pid process

2720 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

pid	process
2772	vssadmin.exe

pid	process
1912	PING.EXE

pid	process
2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	1320	wbengine.exe
Token: SeRestorePrivilege	1320	wbengine.exe
Token: SeSecurityPrivilege	1320	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2468 NOTEPAD.EXE

pid	process
2468	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.execmd.execmd.exe

description	pid	process	target process
PID 2720 wrote to memory of 2780	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2720 wrote to memory of 2780	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2720 wrote to memory of 2780	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2720 wrote to memory of 2780	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2780 wrote to memory of 2772	2780	cmd.exe	vssadmin.exe
PID 2780 wrote to memory of 2772	2780	cmd.exe	vssadmin.exe
PID 2780 wrote to memory of 2772	2780	cmd.exe	vssadmin.exe
PID 2780 wrote to memory of 2700	2780	cmd.exe	wbadmin.exe
PID 2780 wrote to memory of 2700	2780	cmd.exe	wbadmin.exe
PID 2780 wrote to memory of 2700	2780	cmd.exe	wbadmin.exe
PID 2780 wrote to memory of 2360	2780	cmd.exe	WMIC.exe
PID 2780 wrote to memory of 2360	2780	cmd.exe	WMIC.exe
PID 2780 wrote to memory of 2360	2780	cmd.exe	WMIC.exe
PID 2720 wrote to memory of 2616	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2720 wrote to memory of 2616	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2720 wrote to memory of 2616	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2720 wrote to memory of 2616	2720	56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe	cmd.exe
PID 2616 wrote to memory of 1912	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 1912	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 1912	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 1912	2616	cmd.exe	PING.EXE
PID 2616 wrote to memory of 2936	2616	cmd.exe	fsutil.exe
PID 2616 wrote to memory of 2936	2616	cmd.exe	fsutil.exe
PID 2616 wrote to memory of 2936	2616	cmd.exe	fsutil.exe
PID 2616 wrote to memory of 2936	2616	cmd.exe	fsutil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
"C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
"C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe" n2720
2⤵
PID:2776

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2772

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2700

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 5
3⤵
- Runs ping.exe
PID:1912

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"
3⤵
PID:2936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Direct Volume Access

T1006

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
Filesize
1KB

MD5
29abe2cf61968275a38bcf735c875d5d

SHA1
4386674a153df8a4a1dc81bcf976ffae29299b2f

SHA256
463c885a5b5cf4b8447e11fddf5b2028c8adf0974f6bb3178454bf26bb3082e6

SHA512
261193ffe16866ed90f20ef293876c619393ce7e29a75cfba87badd2f34f2bed8338728a0a0ce505b6817adab04e9e22826cdd42f7917b434c1b978f07dc5871

Download Submit