84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

max time kernel
295s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bit Paymer.exe
Size

92KB
MD5

998246bd0e51f9582b998ca514317c33
SHA1

5a2d799ac4cca8954fc117c7fb3e868f93c6f009
SHA256

d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
SHA512

773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
SSDEEP

1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Ransom Note

YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3 If this address is not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [email protected]

Emails

[email protected]

URLs

https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3

http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3

Signatures

Renames multiple (12313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bit Paymer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Bit Paymer.exe

Executes dropped EXE 3 IoCs

Processes:

zKN3V:exe5FAyVva.exei6A2S:exe

pid process

4088 zKN3V:exe
1296 5FAyVva.exe
4720 i6A2S:exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4088	zKN3V:exe
1296	5FAyVva.exe
4720	i6A2S:exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bit Paymer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aHRE3 = "C:\\Users\\Admin\\AppData\\Local\\9FihUvK\\56Ld0vC.exe"	Bit Paymer.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

i6A2S:exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	i6A2S:exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	i6A2S:exe

Drops file in Program Files directory 64 IoCs

Processes:

i6A2S:exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-white.png	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	i6A2S:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\selector.js.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll.locked	i6A2S:exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.locked	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js	i6A2S:exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\123.0.6312.106.manifest	i6A2S:exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL	i6A2S:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_zh-TW.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1.m4a	i6A2S:exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll	i6A2S:exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.INF.locked	i6A2S:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.locked	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactions.dll	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.locked	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.readme_txt	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS.readme_txt	i6A2S:exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.locked	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.locked	i6A2S:exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\tr.pak.locked	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll	i6A2S:exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.locked	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.readme_txt	i6A2S:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js.readme_txt	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.locked	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\charsets.jar.readme_txt	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg.locked	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.locked	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	i6A2S:exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-black.png	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	i6A2S:exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.readme_txt	i6A2S:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll	i6A2S:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\BuildInfo.xml	i6A2S:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx.locked	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml.readme_txt	i6A2S:exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.locked	i6A2S:exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll	i6A2S:exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4820 net.exe
Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings OpenWith.exe
NTFS ADS 2 IoCs

Processes:

Bit Paymer.exe5FAyVva.exe

description ioc process

File created C:\Users\Admin\AppData\Local\zKN3V:exe Bit Paymer.exe
File created C:\Users\Admin\AppData\Local\i6A2S:exe 5FAyVva.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1432 NOTEPAD.EXE

pid	process
4820	net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	OpenWith.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\zKN3V:exe	Bit Paymer.exe
File created	C:\Users\Admin\AppData\Local\i6A2S:exe	5FAyVva.exe

pid	process
1432	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2312 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2312	taskmgr.exe
Token: SeSystemProfilePrivilege	2312	taskmgr.exe
Token: SeCreateGlobalPrivilege	2312	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe
2312	taskmgr.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

OpenWith.exe

pid	process
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Bit Paymer.execmd.exe5FAyVva.exezKN3V:exeOpenWith.exe

description	pid	process	target process
PID 3136 wrote to memory of 3352	3136	Bit Paymer.exe	cmd.exe
PID 3136 wrote to memory of 3352	3136	Bit Paymer.exe	cmd.exe
PID 3136 wrote to memory of 3352	3136	Bit Paymer.exe	cmd.exe
PID 3136 wrote to memory of 4088	3136	Bit Paymer.exe	zKN3V:exe
PID 3136 wrote to memory of 4088	3136	Bit Paymer.exe	zKN3V:exe
PID 3136 wrote to memory of 4088	3136	Bit Paymer.exe	zKN3V:exe
PID 3352 wrote to memory of 1296	3352	cmd.exe	5FAyVva.exe
PID 3352 wrote to memory of 1296	3352	cmd.exe	5FAyVva.exe
PID 3352 wrote to memory of 1296	3352	cmd.exe	5FAyVva.exe
PID 1296 wrote to memory of 4720	1296	5FAyVva.exe	i6A2S:exe
PID 1296 wrote to memory of 4720	1296	5FAyVva.exe	i6A2S:exe
PID 1296 wrote to memory of 4720	1296	5FAyVva.exe	i6A2S:exe
PID 4088 wrote to memory of 4820	4088	zKN3V:exe	net.exe
PID 4088 wrote to memory of 4820	4088	zKN3V:exe	net.exe
PID 4088 wrote to memory of 4820	4088	zKN3V:exe	net.exe
PID 2228 wrote to memory of 1432	2228	OpenWith.exe	NOTEPAD.EXE
PID 2228 wrote to memory of 1432	2228	OpenWith.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe
"C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Xf7\5FAyVva.exe 2
2⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Xf7\5FAyVva.exe
C:\Users\Admin\AppData\Local\Xf7\5FAyVva.exe 2
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\i6A2S:exe
C:\Users\Admin\AppData\Local\i6A2S:exe 3 C:\Users\Admin\AppData\Local\Xf7\5FAyVva.exe
4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4720

C:\Users\Admin\AppData\Local\zKN3V:exe
C:\Users\Admin\AppData\Local\zKN3V:exe 1 C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
3⤵
- Discovers systems in the same network
PID:4820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConvertToBackup.wav.readme_txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

Filesize
16KB

MD5
5bdd7593489f211fc3e0f933b7b9b5ea

SHA1
a28327e46e9ffe090d1bfe20f052ac803cdd1482

SHA256
4b7f16050c4459923d04dff29f85af8da4d3b364c72db89a6f7eb8120ba30cc6

SHA512
c15f3b1f33492d58440ba093bbf498b299961c5a6481321fc5997fc211d3e5e9ef098562295867da732ab04e155365ed2b7fae8e4ba4271b74984a9bb3b1c92c

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db

Filesize
289KB

MD5
ed423323e14f358fae1e201fc0f3a3a9

SHA1
9e69c95c1b393e22954f3f13271d4f5d2bc29846

SHA256
b870e1e1e752e38e13cf86b0a7be8dc91fd835e6aab3395c463d28c8306e0360

SHA512
7127b3a54ed4a0a31f80f23eeb93220606d0cfa10b2ab6c51afd0ae2247c961af8103e0b6f12b6c4b051e9c73236b4711200125a0b324118c8b9f13bf52d69e9

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6FAE413D-EBD4-45FB-907E-CF8BA8F1F96C}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
bf9df572f22caf9d14062802febf98ee

SHA1
3407f93b8fcf5b9152d976fbed52dcc4e9d6aee0

SHA256
e3223ab026243e6ef437399641f665d9839832cd378018e8735e1bee9ca686fd

SHA512
6ce37e3d2596f1e420b9c1295dec455e9700445f091ea26f4ed187d3e68395eb4de144fcc1d4af72683ca3225a8353729e77ceb7933fcb8dd6de70f9084332e6

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db

Filesize
622KB

MD5
e8b24556b7ff24bcccf44c2823749e41

SHA1
24b989916199f6c3268e50393a763b3ee8cfea10

SHA256
f7732d46879e5fd25c5f4e1a1f6bdf18ea5987af1b6de1ee973ecfa523c8e21a

SHA512
da205c221d93de7e71a2c75c38487b293038dff0e01c2fa6fcaae4ecc925885b640082905580445f503e8a884c9205d6d8980b51984ae93d3bf35850f9284002

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
3b4291dab71e1c1e755b808cdc5591f8

SHA1
b7db973d3f663120487efc305c0a46402d5ea87a

SHA256
772d971aacbac3b86df99ef2289f3bd66dc38e07c9e1ede03f44e30cf777c002

SHA512
821fac359cf9fd20531f72d6b208cbb36a8927d333d0f3e74da9461f9f7633964357fd7038a0271e9bf6259b293491b3394ea83ec22543a9807c927b2db114d6

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db

Filesize
94KB

MD5
70e7de044628f0596384fdce8545b167

SHA1
c3492282066378cf3d9b69ba4d9c6c1777862847

SHA256
31a12305f88fc0a5451fdc5f504495c47dba74fa4d3fdd37700bd7f4f36b8e19

SHA512
2989c286952a96324b7bfe543466e683da1cfbf46d7e6862ba97beaeb22a2086b39b7135c592d344b838fd160f0b7da9ce26a373925ffc457fe79b03a97ef2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.3.ver0x0000000000000001.db

Filesize
288KB

MD5
29653ca47e75646198e9f68626b6235c

SHA1
ffc4e7820c598e58fae1200f91f2617fa4fb6254

SHA256
800408a7ca91d3ec13665d50da982d7afacddf20ca76629e3003aab488683c43

SHA512
03d2aa208a48c154076e5cbb4d07ea74bbef3257093084f89175c2fb8de99818c2be7f13525ea888b3ded38ad90548b18bdda52056ab32b0d0abf1477699b8af

Download Submit
C:\Users\Admin\AppData\Local\Xf7\5FAyVva.exe

Filesize
92KB

MD5
998246bd0e51f9582b998ca514317c33

SHA1
5a2d799ac4cca8954fc117c7fb3e868f93c6f009

SHA256
d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2

SHA512
773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
4B

MD5
76390d3429ba451f1e37daae6bc85b51

SHA1
c8e633f4a5ad8991f348fa8bf85dfec134e2c4dc

SHA256
31d694956ddcdb8b2d61ee7b91beb5af37ce0557b6ca44438d2c3ca9f96c56d9

SHA512
cff8a95d7efbabc3ac3c06b721166ac26254eadcbed6296bb17712be07c1b7245ab22fb9b558371b0a69e855451706180ef20ccb57f639cbe818c14d90bd3e54

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Filesize
1KB

MD5
51fab08a170e3c398e696a5d36cde259

SHA1
b60d83b9db3831998bb5672e4a4a1610cf4e1cb1

SHA256
bab1199a9b43d11429c79f0b15c7e8c8d61ec612aca223aa66fd253eab11f1cb

SHA512
50b95e5bd31ab894e997773c374592bda8a0cf44f92c9b92aad8155928240c1a2d177f81bcdefe72d686413dd9494f8010f66f9e191b7a549fb99902c6f2c3d6

Download Submit
memory/1296-19-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1296-23-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/2312-4757-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4760-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4758-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4736-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4756-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4755-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4753-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4735-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4734-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/2312-4759-0x0000020E789F0000-0x0000020E789F1000-memory.dmp

Filesize
4KB

Download
memory/3136-0-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/3136-11-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/3136-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/4088-13142-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4088-6508-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4088-14-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/4720-71927-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4720-26-0x0000000000C10000-0x0000000000C16000-memory.dmp

Filesize
24KB

Download
memory/4720-83153-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4720-6512-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4720-86309-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download