68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
Size

42KB
MD5

6096dec7644520ba1a4fdc04183bb62f
SHA1

f0eae70b15d663787858a5cc24d8fdf21b67f225
SHA256

68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260
SHA512

3680248b7ef0e7304268fa8b277f5c9d823c82185d0137bfa9d756ce9fb6406b1af0be5f4dfb73199a6ba4b175dbca97ac61600f140043a645279110750c8f05
SSDEEP

768:LO1oR/vVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDdy6vd8lLF82:LlS1FKnDtkuImg61iW2

Score

10^/10

defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailboxes: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8328) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2628	wbadmin.exe

Deletes itself 1 IoCs

pid	Process
228	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.com
5	iplogger.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8623.tmp.bmp"	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\+README-WARNING+.txt	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\THMBNAIL.PNG	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00485_.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099149.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153087.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.XML	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\+README-WARNING+.txt	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2840	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2368	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeBackupPrivilege	2696	vssvc.exe
Token: SeRestorePrivilege	2696	vssvc.exe
Token: SeAuditPrivilege	2696	vssvc.exe
Token: SeBackupPrivilege	2080	wbengine.exe
Token: SeRestorePrivilege	2080	wbengine.exe
Token: SeSecurityPrivilege	2080	wbengine.exe
Token: SeIncreaseQuotaPrivilege	108	WMIC.exe
Token: SeSecurityPrivilege	108	WMIC.exe
Token: SeTakeOwnershipPrivilege	108	WMIC.exe
Token: SeLoadDriverPrivilege	108	WMIC.exe
Token: SeSystemProfilePrivilege	108	WMIC.exe
Token: SeSystemtimePrivilege	108	WMIC.exe
Token: SeProfSingleProcessPrivilege	108	WMIC.exe
Token: SeIncBasePriorityPrivilege	108	WMIC.exe
Token: SeCreatePagefilePrivilege	108	WMIC.exe
Token: SeBackupPrivilege	108	WMIC.exe
Token: SeRestorePrivilege	108	WMIC.exe
Token: SeShutdownPrivilege	108	WMIC.exe
Token: SeDebugPrivilege	108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	108	WMIC.exe
Token: SeRemoteShutdownPrivilege	108	WMIC.exe
Token: SeUndockPrivilege	108	WMIC.exe
Token: SeManageVolumePrivilege	108	WMIC.exe
Token: 33	108	WMIC.exe
Token: 34	108	WMIC.exe
Token: 35	108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	108	WMIC.exe
Token: SeSecurityPrivilege	108	WMIC.exe
Token: SeTakeOwnershipPrivilege	108	WMIC.exe
Token: SeLoadDriverPrivilege	108	WMIC.exe
Token: SeSystemProfilePrivilege	108	WMIC.exe
Token: SeSystemtimePrivilege	108	WMIC.exe
Token: SeProfSingleProcessPrivilege	108	WMIC.exe
Token: SeIncBasePriorityPrivilege	108	WMIC.exe
Token: SeCreatePagefilePrivilege	108	WMIC.exe
Token: SeBackupPrivilege	108	WMIC.exe
Token: SeRestorePrivilege	108	WMIC.exe
Token: SeShutdownPrivilege	108	WMIC.exe
Token: SeDebugPrivilege	108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	108	WMIC.exe
Token: SeRemoteShutdownPrivilege	108	WMIC.exe
Token: SeUndockPrivilege	108	WMIC.exe
Token: SeManageVolumePrivilege	108	WMIC.exe
Token: 33	108	WMIC.exe
Token: 34	108	WMIC.exe
Token: 35	108	WMIC.exe
Token: 33	1032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1032	AUDIODG.EXE
Token: 33	1032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1032	AUDIODG.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2684	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	31
PID 3024 wrote to memory of 2684	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	31
PID 3024 wrote to memory of 2684	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	31
PID 3024 wrote to memory of 2684	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	31
PID 2684 wrote to memory of 2840	2684	cmd.exe	33
PID 2684 wrote to memory of 2840	2684	cmd.exe	33
PID 2684 wrote to memory of 2840	2684	cmd.exe	33
PID 2684 wrote to memory of 2628	2684	cmd.exe	36
PID 2684 wrote to memory of 2628	2684	cmd.exe	36
PID 2684 wrote to memory of 2628	2684	cmd.exe	36
PID 2684 wrote to memory of 108	2684	cmd.exe	40
PID 2684 wrote to memory of 108	2684	cmd.exe	40
PID 2684 wrote to memory of 108	2684	cmd.exe	40
PID 3024 wrote to memory of 228	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	47
PID 3024 wrote to memory of 228	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	47
PID 3024 wrote to memory of 228	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	47
PID 3024 wrote to memory of 228	3024	68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe	47
PID 228 wrote to memory of 2368	228	cmd.exe	49
PID 228 wrote to memory of 2368	228	cmd.exe	49
PID 228 wrote to memory of 2368	228	cmd.exe	49
PID 228 wrote to memory of 2368	228	cmd.exe	49
PID 228 wrote to memory of 2260	228	cmd.exe	50
PID 228 wrote to memory of 2260	228	cmd.exe	50
PID 228 wrote to memory of 2260	228	cmd.exe	50
PID 228 wrote to memory of 2260	228	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
"C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe
  "C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe" n3024
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2840
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2368
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\68dd91e49256ee61ca05a5309db255e9ffe23e8df680ace95d48346e2a39c260.exe"
    3⤵
    PID:2260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2872

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1484

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Filesize
1KB

MD5
5d377addd5fb119f9d200838847ff087

SHA1
8cdf851e8945d590a672a594cbce8fa354e4542e

SHA256
dd62f39b01cf2120c9e21add9e80396b44704d3d9e5499de2ef26fa5824c10bb

SHA512
c2779f2e5b30bd6d8337e6663cf17d4ae972f758a894d481b01b3d4f7336734259615592fb7a975b134f5cbc5db19647d26a32f7938c975c361c264d36eeae0c

Download Submit