3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Analysis

max time kernel
1562s
max time network
1563s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Size

52KB
MD5

ba9210de03de945901f02792f7994871
SHA1

20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
SHA256

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
SHA512

277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
SSDEEP

1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Score

10^/10

defense_evasion evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_8505163.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: AhJg0DoXZJhSOiPuNfKnKUMnC+OA9rqN1bpJHq56nxwJiBYPyLMuUJ8I6uqNmYNGWxQdTeWrqxdfQhV4Lf55RNEsVWaVggwfID2aTtjLjljdI8ke55WcYYDjPMfwDIMPuIDAg5haye/oxPkMITE0on/wRzIjEBdgg1iNLOeQYIt6pSavcQOFOofoXUs0iWfuO0Hs5Gi/o9yNYtztu2zf4dY+XVyF1qjF9SneWpUYEJ8DIpCz3d97zYYq7Z22zPHX6W7fmQB9yEPsq5k8RH8xzwftnhANAIaqaXhNYGkR3cDmVMQZQ47/5XTVUzGboxYsI+yksc0FCQv5BvO9AHY/7w++ZW4tVVNfODUwNTE2M19BZG1pbl83LzE2LzIwMjQgOTowNDo1NyBBTV9XaW4gN19ibHV0NF9lY2ZiNWM5NWQwZjNkMTEyNjUwZWY0MDQ3OTM2ZThmYTUyNDRjMjFjOTIxZjZjN2E2OTYzZTkyYWJhYjQ5NDlk To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2820 bcdedit.exe
2828 bcdedit.exe
Disables Task Manager via registry modification
evasion
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1256 cmd.exe

pid	process
2820	bcdedit.exe
2828	bcdedit.exe

pid	process
1256	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

description	ioc	process
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Searches\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Libraries\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Program Files directory 2 IoCs

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

description	ioc	process
File created	C:\Program Files\README_8505163.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Program Files (x86)\README_8505163.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Windows directory 1 IoCs

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

description ioc process

File created C:\Windows\README_8505163.txt ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

876 vssadmin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2164 PING.EXE

description	ioc	process
File created	C:\Windows\README_8505163.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

pid	process
876	vssadmin.exe

pid	process
2164	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

pid	process
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Token: SeBackupPrivilege	1636	vssvc.exe
Token: SeRestorePrivilege	1636	vssvc.exe
Token: SeAuditPrivilege	1636	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.execmd.execmd.exe

description	pid	process	target process
PID 2088 wrote to memory of 2160	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 2160	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 2160	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 1256	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 1256	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 1256	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 1256	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2088 wrote to memory of 1256	2088	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	cmd.exe
PID 2160 wrote to memory of 876	2160	cmd.exe	vssadmin.exe
PID 2160 wrote to memory of 876	2160	cmd.exe	vssadmin.exe
PID 2160 wrote to memory of 876	2160	cmd.exe	vssadmin.exe
PID 1256 wrote to memory of 2164	1256	cmd.exe	PING.EXE
PID 1256 wrote to memory of 2164	1256	cmd.exe	PING.EXE
PID 1256 wrote to memory of 2164	1256	cmd.exe	PING.EXE
PID 2160 wrote to memory of 2820	2160	cmd.exe	bcdedit.exe
PID 2160 wrote to memory of 2820	2160	cmd.exe	bcdedit.exe
PID 2160 wrote to memory of 2820	2160	cmd.exe	bcdedit.exe
PID 2160 wrote to memory of 2828	2160	cmd.exe	bcdedit.exe
PID 2160 wrote to memory of 2828	2160	cmd.exe	bcdedit.exe
PID 2160 wrote to memory of 2828	2160	cmd.exe	bcdedit.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
"C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:876
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2820
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\PING.EXE
    ping -n 1 -w 5000 10.10.254.254
    3⤵
    - Runs ping.exe
    PID:2164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_8505163.txt

Filesize
1KB

MD5
91efb38a435e05e3c8a28899d17d1535

SHA1
4096ec3a546b1b91ec950ff79d12d0f8ea27a5f1

SHA256
e983d181aa4a98c84528dd669ded7529a2078111267475928ecd461c39dc97dd

SHA512
b21dcf65719af6b0cbd448a812b2413748542e3704e1283b7ff67def308b6f1850939cb03138d9e3d399c7487cca71e7ef204b37426c954fedadb8425dff60e1

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

Filesize
582KB

MD5
c3f146632cb5d0e2323c2fc5102e4d42

SHA1
8713c3d2d7c32a22686dd2b2cf7835b47a9520ad

SHA256
673f79b5ae207c3a99c127f7653bc74ed245205c183623b62d86567cfc1228a6

SHA512
e2ecea00ca4c06a57e9e6e871852aafb00a1e65992ff499e77808478311d573bf617e3a3779f41d49555cbf1daac67cb38a09990d07f7f08d7caf0d1784ed2a4

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
ac2b1cb47693f8ef63f346eb906550f3

SHA1
a0a916d7d5edb01fee5779526d377133f911089e

SHA256
c67e77b8dcbaf89c251328e2e857dbc03f97c987b97ca369fa33c4b3ebeb7b5f

SHA512
23c9c633b705f558e69ea2308c1543f2a7cf96e108d1ad53c2637e05b84319dbcbd416275a6c8e7764587ee1b0b68418069bf2d6beaae3905e199929bd5aa856

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
167B

MD5
d1df9bb96b34b2b9cba30dc139a00ef8

SHA1
44e80d8b875f296f7087eadc0584276fb68fa323

SHA256
17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

SHA512
7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
147B

MD5
2450c91afcc2d4cc3dea374820bed314

SHA1
dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

SHA256
4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

SHA512
b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

Download Submit
C:\Users\Admin\Desktop\EditSend.xlsx

Filesize
10KB

MD5
45b246e1a4619b291672cf44f1507835

SHA1
71508a182cccc0a2d803bdd976a04c501ec9e920

SHA256
41f21d8261a3ead2e5e4a8372ea7534f116e506c31736561d0ebe3782bbcb781

SHA512
24cced0a6899b970a1a2ca349b4caa099dd696fb69a46b7f70f9f2cef559f8ef40378451bfbfe78015d995169cc92a203778b866b44772246e485a3cfba0c2e1

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
c1945622f108598d665c2c270c551de3

SHA1
f3125647337e064fa3653902a943e9645efe8d98

SHA256
eeb4eada194abec0d51fb844243bd2a575f8f02015f1cba94ea27638dd755c9c

SHA512
3c39736f1eb5e6aa4451f1bd489b1f535d97370dc33c89d72b5510a09c98b335126b54b6deec59cc6696f1ef834364c0aaa1dfe3a94d216031b685e7acde01ed

Download Submit
memory/2088-561-0x000007FEF5C63000-0x000007FEF5C64000-memory.dmp

Filesize
4KB

Download
memory/2088-0-0x000007FEF5C63000-0x000007FEF5C64000-memory.dmp

Filesize
4KB

Download
memory/2088-1033-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-2-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-1-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/2088-1045-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download