Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe
Resource
win10v2004-20240802-en
General
-
Target
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe
-
Size
1.0MB
-
MD5
69a45130e5e5aadaae4f023c6ea37725
-
SHA1
28e1f0d8e479597f4d7b20c43bc8044482ebbc74
-
SHA256
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f
-
SHA512
357f9b5aca858c8a77b124674c4469a760cf7db340263217d02787eebeccef3c2e13676a8fbe44336cee6b3d3ff189b12ee197f4da6584be0ec6b9cedd7dc807
-
SSDEEP
24576:6QMc/LMx3+ZoXdEwZuS2+gYUdX4h3dHt:668uZoNEwBg3XSJ
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3756 bcdedit.exe 1060 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Drops startup file 2 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BF94917EF70A310FD818BC62B5A43BB5.exe 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BF94917EF70A310FD818BC62B5A43BB5.exe 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process File opened for modification C:\users\admin\contacts\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\music\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\pictures\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\downloads\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\pictures\saved pictures\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\saved games\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\accountpictures\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\desktop\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\pictures\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\onedrive\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\downloads\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\documents\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\documents\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\music\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\3d objects\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\favorites\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\videos\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\links\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\searches\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\videos\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\desktop\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\favorites\links\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\admin\pictures\camera roll\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\users\public\libraries\desktop.ini 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process File opened (read-only) \??\F: 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BF94917EF70A310FD818BC62B5A43BB5.bmp" 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process File opened for modification C:\program files\microsoft office\root\office16\sdxs\fa000000018\cardview\lib\native-common\assets\[email protected] 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.xboxapp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\appxblockmap.xml 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowscalculator_10.1906.55.0_x64__8wekyb3d8bbwe\assets\calculatorapplist.targetsize-256_altform-unplated_contrast-black.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\remove.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowsstore_11910.1002.5.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-white\storemedtile.scale-200.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectproxc2rvl_makc2r-pl.xrm-ms 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-white\weather_tilemediumsquare.scale-200.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\contrast-black\widetile.scale-200_contrast-black.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\assets\gamesxboxhubapplist.targetsize-16_altform-unplated_contrast-high.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-24_altform-unplated_contrast-black.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-96.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\images\printandshare\glyph_0xeccf.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\app-center\js\nls\ro-ro\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\ko-kr\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\licenses16\projectprovl_kms_client-ul.xrm-ms 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\videolan\vlc\lua\intf\modules\host.luac 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.microsoftofficehub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.f964b1d8.pri 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxmaillargetile.scale-125.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files (x86)\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover_2x.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files\dotnet\shared\microsoft.windowsdesktop.app\7.0.16\ru\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.mspaint_6.1907.29027.0_x64__8wekyb3d8bbwe\assets\images\stickers\thumbnails\sticker_icon_eyebrow.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\videolan\vlc\lua\http\images\video-48.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxcalendarapplist.targetsize-72.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\ca-es\ui-strings.js 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\zh-tw\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowsalarms_10.1906.2182.0_x64__8wekyb3d8bbwe\assets\stopwatchwidetile.contrast-white_scale-200.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\nb-no\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\office16\addins\power view excel add-in\microsoft.reporting.adhoc.shell.bootstrapper.xap 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\common.view.uwp\strings\fil-ph\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\assets\square310x310logo.scale-150.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\assets\images\skypeapplist.targetsize-48_altform-unplated_contrast-black.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\illustrations.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\dotnet\shared\microsoft.netcore.app\8.0.2\microsoft.netcore.app.deps.json 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\office16\pagesize\pglbl086.xml 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\dc-annotations\css\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\vfs\programfilesx64\microsoft analysis services\as oledb\140\resources\1033\msmdsrv.rll 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.microsoftofficehub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\square150x150logo.scale-125.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weather_logosmall.targetsize-24_altform-unplated.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\assets\images\skypewidetile.scale-200_contrast-black.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\localizedstrings_ca.json 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxa-generic-dark.scale-200.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\insiderhubapplist.scale-100.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\office16\proof\mssp7es.lex 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.storepurchaseapp_11811.1001.18.0_x64__8wekyb3d8bbwe\store.purchase\controls\xbox360purchasehostpage.html 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.windowsfeedbackhub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\insiderhubmedtile.scale-125.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\assets\getstartedapplist.targetsize-72_altform-unplated_contrast-white.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.mspaint_6.1907.29027.0_x64__8wekyb3d8bbwe\assets\logos\square44x44\paintapplist.scale-100.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\icons\icon_play_nor.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.windowssoundrecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\assets\voicerecorderapplist.contrast-black_targetsize-40_altform-unplated.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\ccloud_retina.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiostd2019vl_kms_client_ae-ppd.xrm-ms 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\assets\square44x44logo.targetsize-72.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\onenoteapplist.targetsize-30_altform-unplated.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File opened for modification C:\program files\windowsapps\microsoft.screensketch_10.1907.2471.0_x64__8wekyb3d8bbwe\assets\screensketchsquare44x44logo.targetsize-30_altform-lightunplated.png 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe File created C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\holotileassets\#Read-for-recovery.txt 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2656 vssadmin.exe -
Modifies Control Panel 3 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallpaperStyle = "2" 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\TileWallpaper = "0" 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Modifies registry class 1 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exepid process 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
WMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3220 WMIC.exe Token: SeSecurityPrivilege 3220 WMIC.exe Token: SeTakeOwnershipPrivilege 3220 WMIC.exe Token: SeLoadDriverPrivilege 3220 WMIC.exe Token: SeSystemProfilePrivilege 3220 WMIC.exe Token: SeSystemtimePrivilege 3220 WMIC.exe Token: SeProfSingleProcessPrivilege 3220 WMIC.exe Token: SeIncBasePriorityPrivilege 3220 WMIC.exe Token: SeCreatePagefilePrivilege 3220 WMIC.exe Token: SeBackupPrivilege 3220 WMIC.exe Token: SeRestorePrivilege 3220 WMIC.exe Token: SeShutdownPrivilege 3220 WMIC.exe Token: SeDebugPrivilege 3220 WMIC.exe Token: SeSystemEnvironmentPrivilege 3220 WMIC.exe Token: SeRemoteShutdownPrivilege 3220 WMIC.exe Token: SeUndockPrivilege 3220 WMIC.exe Token: SeManageVolumePrivilege 3220 WMIC.exe Token: 33 3220 WMIC.exe Token: 34 3220 WMIC.exe Token: 35 3220 WMIC.exe Token: 36 3220 WMIC.exe Token: SeBackupPrivilege 4644 vssvc.exe Token: SeRestorePrivilege 4644 vssvc.exe Token: SeAuditPrivilege 4644 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2972 wrote to memory of 1980 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 1980 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 384 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 384 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 3548 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 3548 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 3848 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 2972 wrote to memory of 3848 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe cmd.exe PID 1980 wrote to memory of 2656 1980 cmd.exe vssadmin.exe PID 1980 wrote to memory of 2656 1980 cmd.exe vssadmin.exe PID 3848 wrote to memory of 3220 3848 cmd.exe WMIC.exe PID 3848 wrote to memory of 3220 3848 cmd.exe WMIC.exe PID 384 wrote to memory of 3756 384 cmd.exe bcdedit.exe PID 384 wrote to memory of 3756 384 cmd.exe bcdedit.exe PID 3548 wrote to memory of 1060 3548 cmd.exe bcdedit.exe PID 3548 wrote to memory of 1060 3548 cmd.exe bcdedit.exe PID 2972 wrote to memory of 4304 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe NOTEPAD.EXE PID 2972 wrote to memory of 4304 2972 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe NOTEPAD.EXE -
System policy modification 1 TTPs 3 IoCs
Processes:
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Kuza" 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Email us for recovery: [email protected]\n In case of no answer, send to this email: [email protected]\nYour unqiue ID:\nBF94917EF70A310FD818BC62B5A43BB5" 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe"C:\Users\Admin\AppData\Local\Temp\814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:3756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\dotnet\#Read-for-recovery.txt2⤵PID:4304
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD585878ca4e03f16a1971a0389c5f6c0f2
SHA1bedb405c3a536c0f3a1de80699c31a010f3928af
SHA256e38edec5cd459720895c86eac816ee0db40af3409c8f506bdef54ca8f8af47db
SHA512dca6a733f89d12fae43df824de281f8ba125059403e685c8c5b114c7c020e9015f286577593a31e127d923981ee72434e64d391f16ebcd03ca7324559dfd88bd