84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

max time kernel
1558s
max time network
1559s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
Size

121KB
MD5

eac0a08470ee67c63b14ae2ce7f6aa61
SHA1

285c0163376d5d9a5806364411652fe73424d571
SHA256

fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
SHA512

f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
SSDEEP

1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

Score

9^/10

defense_evasion evasion execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2116	BC1C9B74EA.exe
3064	BC1C9B74EA.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\BC1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*BC1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FF1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	BC1C9B74EA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FF1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	BC1C9B74EA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2116 set thread context of 3064	2116	BC1C9B74EA.exe	62

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe
File opened for modification	C:\Program Files (x86)\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3000	sc.exe
2608	sc.exe
848	sc.exe
2560	sc.exe
2200	sc.exe
2556	sc.exe
2952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1108	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe:Zone.Identifier	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
2148	NOTEPAD.EXE
752	NOTEPAD.EXE
2708	NOTEPAD.EXE
2040	NOTEPAD.EXE
844	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2912	vssvc.exe
Token: SeRestorePrivilege	2912	vssvc.exe
Token: SeAuditPrivilege	2912	vssvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
844	NOTEPAD.EXE
2148	NOTEPAD.EXE
2040	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2624 wrote to memory of 2236	2624	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	30
PID 2236 wrote to memory of 2784	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 2236 wrote to memory of 2784	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 2236 wrote to memory of 2784	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 2236 wrote to memory of 2784	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 2236 wrote to memory of 2896	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	33
PID 2236 wrote to memory of 2896	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	33
PID 2236 wrote to memory of 2896	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	33
PID 2236 wrote to memory of 2896	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	33
PID 2236 wrote to memory of 2664	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	35
PID 2236 wrote to memory of 2664	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	35
PID 2236 wrote to memory of 2664	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	35
PID 2236 wrote to memory of 2664	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	35
PID 2236 wrote to memory of 2692	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	37
PID 2236 wrote to memory of 2692	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	37
PID 2236 wrote to memory of 2692	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	37
PID 2236 wrote to memory of 2692	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	37
PID 2236 wrote to memory of 2712	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 2236 wrote to memory of 2712	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 2236 wrote to memory of 2712	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 2236 wrote to memory of 2712	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 2896 wrote to memory of 2200	2896	cmd.exe	38
PID 2896 wrote to memory of 2200	2896	cmd.exe	38
PID 2896 wrote to memory of 2200	2896	cmd.exe	38
PID 2896 wrote to memory of 2200	2896	cmd.exe	38
PID 2784 wrote to memory of 2560	2784	cmd.exe	40
PID 2784 wrote to memory of 2560	2784	cmd.exe	40
PID 2784 wrote to memory of 2560	2784	cmd.exe	40
PID 2784 wrote to memory of 2560	2784	cmd.exe	40
PID 2664 wrote to memory of 2556	2664	cmd.exe	42
PID 2664 wrote to memory of 2556	2664	cmd.exe	42
PID 2664 wrote to memory of 2556	2664	cmd.exe	42
PID 2664 wrote to memory of 2556	2664	cmd.exe	42
PID 2236 wrote to memory of 2668	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	44
PID 2236 wrote to memory of 2668	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	44
PID 2236 wrote to memory of 2668	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	44
PID 2236 wrote to memory of 2668	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	44
PID 2236 wrote to memory of 1716	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	46
PID 2236 wrote to memory of 1716	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	46
PID 2236 wrote to memory of 1716	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	46
PID 2236 wrote to memory of 1716	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	46
PID 2712 wrote to memory of 2608	2712	cmd.exe	48
PID 2712 wrote to memory of 2608	2712	cmd.exe	48
PID 2712 wrote to memory of 2608	2712	cmd.exe	48
PID 2712 wrote to memory of 2608	2712	cmd.exe	48
PID 2692 wrote to memory of 2952	2692	cmd.exe	49
PID 2692 wrote to memory of 2952	2692	cmd.exe	49
PID 2692 wrote to memory of 2952	2692	cmd.exe	49
PID 2692 wrote to memory of 2952	2692	cmd.exe	49
PID 2668 wrote to memory of 3000	2668	cmd.exe	50
PID 2668 wrote to memory of 3000	2668	cmd.exe	50
PID 2668 wrote to memory of 3000	2668	cmd.exe	50
PID 2668 wrote to memory of 3000	2668	cmd.exe	50
PID 2236 wrote to memory of 2720	2236	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
"C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
  "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop VVS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\sc.exe
      sc stop VVS
      4⤵
      Launches sc.exe
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop wuauserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop BITS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\sc.exe
      sc stop BITS
      4⤵
      Launches sc.exe
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop ERSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ERSvc
      4⤵
      Launches sc.exe
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop WerSvc
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
    C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2116
  - - C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
      C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:3064
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:752
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2708
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        Suspicious use of FindShellTrayWindow
        
        PID:2040
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        Suspicious use of FindShellTrayWindow
        
        PID:844
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        Suspicious use of FindShellTrayWindow
        
        PID:2148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Filesize
1KB

MD5
a66096f3592531f74e0d5ebb9539d925

SHA1
b7b1ccc2932bf4c97b2481529919d44c3fbde055

SHA256
6f5bf60dc263c7a4dc5d0489b32e7ef2ed1203e3a19567a49ea56cdcda7f6ce1

SHA512
3da01c19c8982dd588843dee1ea31bbaae6536c768131a6e5bb134720f780080efdfe2ac5b5346f976a7f4252d65e86683018d9888c23eab66588391f524801b

Download Submit
\Users\Admin\AppData\Roaming\BC1C9B74EA.exe

Filesize
121KB

MD5
eac0a08470ee67c63b14ae2ce7f6aa61

SHA1
285c0163376d5d9a5806364411652fe73424d571

SHA256
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

SHA512
f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

Download Submit
memory/2236-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2236-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2624-1-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/3064-72-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-97-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-32-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-42-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-77-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-82-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-87-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-92-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-102-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-23-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-118-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-120-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-131-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-142-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-144-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-146-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-148-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-150-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-152-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-154-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads