Overview
overview
10Static
static
10084c57449c...0e.exe
windows7-x64
1014b94844b9...c3.exe
windows7-x64
102daa514408...2e.exe
windows7-x64
102e6f094748...ec.exe
windows7-x64
2e96b55980...ea.exe
windows7-x64
134c392448f...ea.exe
windows7-x64
1037d8add251...4c.exe
windows7-x64
103a72653053...59.exe
windows7-x64
1049aca08f5b...24.exe
windows7-x64
104a2ad49c93...9f.exe
windows7-x64
35199b64b50...3c.exe
windows7-x64
55c30024ae...15.exe
windows7-x64
1056f7b48f38...59.exe
windows7-x64
105a96b92938...a4.exe
windows7-x64
10606b88fce1...c4.exe
windows7-x64
16bda9faf71...4b.exe
windows7-x64
1071b46e95fb...a8.exe
windows7-x64
107d98972d5c...9c.exe
windows7-x64
987b9b910d5...cb.exe
windows7-x64
108958d7b8c5...e2.exe
windows7-x64
10ab5be9e691...09.exe
windows7-x64
10b228a698ee...c0.exe
windows7-x64
c864a70f78...1d.exe
windows7-x64
cfd5d9a4e6...f0.exe
windows7-x64
da6f543313...2e.exe
windows7-x64
6e05323d9ca...62.exe
windows7-x64
1e48bd2f16b...14.exe
windows7-x64
10ecfb5c95d0...9d.exe
windows7-x64
10f08c1c26d3...3f.exe
windows7-x64
6f354148b5f...0f.exe
windows7-x64
6f7caf7d69c...6a.exe
windows7-x64
10fcb6844506...93.exe
windows7-x64
1Analysis
-
max time kernel
1436s -
max time network
1437s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0.exe
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d.exe
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0.exe
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162.exe
Resource
win7-20240705-en
Behavioral task
behavioral27
Sample
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win7-20240705-en
Behavioral task
behavioral29
Sample
f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393.exe
Resource
win7-20240705-en
General
-
Target
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
-
Size
137KB
-
MD5
9b02b542834573f9502ca83719a73a01
-
SHA1
f3bc7cf16eec977772455f3fce87fed505fb18e3
-
SHA256
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
-
SHA512
290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
SSDEEP
3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch
Malware Config
Extracted
C:\Users\Admin\Documents\andrianov.txt
3QpLGGaeFwxtV61p1bBUpTBzPcKdtPQpNA
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
Processes:
resource yara_rule behavioral27/memory/2836-1-0x00000000001C0000-0x00000000001E8000-memory.dmp family_chaos C:\Users\Admin\AppData\Roaming\svchost.exe family_chaos behavioral27/memory/2660-7-0x00000000003D0000-0x00000000003F8000-memory.dmp family_chaos -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3060 bcdedit.exe 2016 bcdedit.exe -
Renames multiple (239) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 2300 wbadmin.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\andrianov.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2660 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b36da31oo.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2196 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1636 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 2660 svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exesvchost.exepid process 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe Token: SeDebugPrivilege 2660 svchost.exe Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: SeBackupPrivilege 2504 wbengine.exe Token: SeRestorePrivilege 2504 wbengine.exe Token: SeSecurityPrivilege 2504 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 2836 wrote to memory of 2660 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe svchost.exe PID 2836 wrote to memory of 2660 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe svchost.exe PID 2836 wrote to memory of 2660 2836 e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe svchost.exe PID 2660 wrote to memory of 2124 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 2124 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 2124 2660 svchost.exe cmd.exe PID 2124 wrote to memory of 2196 2124 cmd.exe vssadmin.exe PID 2124 wrote to memory of 2196 2124 cmd.exe vssadmin.exe PID 2124 wrote to memory of 2196 2124 cmd.exe vssadmin.exe PID 2124 wrote to memory of 1464 2124 cmd.exe WMIC.exe PID 2124 wrote to memory of 1464 2124 cmd.exe WMIC.exe PID 2124 wrote to memory of 1464 2124 cmd.exe WMIC.exe PID 2660 wrote to memory of 1048 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 1048 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 1048 2660 svchost.exe cmd.exe PID 1048 wrote to memory of 3060 1048 cmd.exe bcdedit.exe PID 1048 wrote to memory of 3060 1048 cmd.exe bcdedit.exe PID 1048 wrote to memory of 3060 1048 cmd.exe bcdedit.exe PID 1048 wrote to memory of 2016 1048 cmd.exe bcdedit.exe PID 1048 wrote to memory of 2016 1048 cmd.exe bcdedit.exe PID 1048 wrote to memory of 2016 1048 cmd.exe bcdedit.exe PID 2660 wrote to memory of 2476 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 2476 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 2476 2660 svchost.exe cmd.exe PID 2476 wrote to memory of 2300 2476 cmd.exe wbadmin.exe PID 2476 wrote to memory of 2300 2476 cmd.exe wbadmin.exe PID 2476 wrote to memory of 2300 2476 cmd.exe wbadmin.exe PID 2660 wrote to memory of 1636 2660 svchost.exe NOTEPAD.EXE PID 2660 wrote to memory of 1636 2660 svchost.exe NOTEPAD.EXE PID 2660 wrote to memory of 1636 2660 svchost.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe"C:\Users\Admin\AppData\Local\Temp\e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2196 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3060 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2300 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\andrianov.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1636
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2316
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD59b02b542834573f9502ca83719a73a01
SHA1f3bc7cf16eec977772455f3fce87fed505fb18e3
SHA256e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14
SHA512290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031
-
Filesize
987B
MD58d31c8f9e4bb13c044a9825aee0cdfa3
SHA16ff267b0179f7ddebe46e8ba855b5e4d176a9bbb
SHA2565aca5bd47a3fd4a211121870f0124245a87528da86b07cb1a0934566ba0349bf
SHA512878a8b06a392000fba503bcd16766c75c53ea033746fd74da02a5bb3a91bf3b9701fb9c89a5eafc179909727c5e16ac21b293fb5de134770bf30db8ed3ae216a