infinitylock | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

Analysis

max time kernel
137s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

211KB
MD5

b805db8f6a84475ef76b795b0d1ed6ae
SHA1

7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256

f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512

62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock discovery ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00174_.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15156_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR3F.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.dll.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00170_.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL105.XML.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\THMBNAIL.PNG.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21308_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086424.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21304_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\CONCRETE.ELM.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10302_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sk.dll.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153095.WMF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ehshell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ehshell.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file\shell\open\command\ = "\"C:\\Windows\\eHome\\ehshell.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3\ = "7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3_auto_file\shell	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
284	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	[email protected]
Token: 33	1672	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1672	AUDIODG.EXE
Token: 33	1672	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1672	AUDIODG.EXE
Token: SeDebugPrivilege	2956	ehshell.exe
Token: SeShutdownPrivilege	2956	ehshell.exe
Token: SeDebugPrivilege	1160	ehshell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 2956	284	rundll32.exe	37
PID 284 wrote to memory of 2956	284	rundll32.exe	37
PID 284 wrote to memory of 2956	284	rundll32.exe	37
PID 2956 wrote to memory of 2468	2956	ehshell.exe	39
PID 2956 wrote to memory of 2468	2956	ehshell.exe	39
PID 2956 wrote to memory of 2468	2956	ehshell.exe	39
PID 2956 wrote to memory of 2468	2956	ehshell.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:284
- C:\Windows\eHome\ehshell.exe
  "C:\Windows\eHome\ehshell.exe" "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3"
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2468

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
352B

MD5
f5b32415da180dfafa8fbe23c357efa6

SHA1
facdd9065b734b6d2f2a9df7b0773317f5238cd8

SHA256
0933e5555f73de6877f93cd121bcde4ffac3bae724406ac51678ad4ab0f19f3b

SHA512
6b83b347bca42c38b94bee85b1b54386d9548beb2a791b3fe58f5959b8aa924931ccdaaa01a7533524f0f26a954475c32a8f099f1e16c61f6f3866bb25c0bfcc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
224B

MD5
1d1568b18791510ed48a9b4f7a25bf7d

SHA1
b3acbfcc4d5701c03457c79871d76971db5da50d

SHA256
20c63667dbcef4ca9525f0d48e41ecd7db9daedf26e85c73d93c4981b2793dcd

SHA512
29f3eb089e65f5eaeb5032a410151075da27a83892733cdf573cb214537063a20e907e11e44b6d0428394e2220cad1fe0eb167f81f050ce016cb7aff1f77930f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
128B

MD5
99858247f2f6cbc14d7d2f34117783b4

SHA1
53ac785e34d2520e85609669803b1acf59ac1e84

SHA256
92b8855ef8d988b5e54f95155c463b210370a15a9b0813e8fdf36dc529a967b5

SHA512
932942d498118806b5327d2149eeb7a450afdc33cb72388dd8920aedd9f4871cc06bab6c937894ba0ca7055ce716aa26748d4ed79fb60c6082d6cd42f140ad28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
128B

MD5
53bdcfa1bef370b21b59dc9e3b9708a9

SHA1
cbc23204477925a6c13881aa1d311432d6a74e75

SHA256
aae7671560d88c0ed3981b8baa424aff1b982bd9bc6d44a352eb21b0ca3d57e2

SHA512
389ce2f18d8eae2c0b02bf9760dfb844b19719002ca6e6b78e8eddcc863e9baaeca38f3af0708e088e983845f59a63d6fd24e38b4bb2f0ebeb0f669980e54cec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
192B

MD5
c64344ac408dc8a6e6cb2fc821ce744d

SHA1
19b334f28d63ee7b4142691eebb236a5e6efb0f5

SHA256
22958a0d3a021812553d7eb76aed8b489ce928f9cfcc9acf11dc67fd9a9ac7b3

SHA512
92add1a9b0925e05bd6b04c454bb5f54e5993668a2c86be2d6b7fc9cec823d9684be182476aa167a3b17c2570281b5b66899d531d28e2b16549a0b0264d5e099

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
512B

MD5
490ba77f21ec07938a02c9c7ce0d2384

SHA1
4f8faea14066679977732f4528a3dec77e63c246

SHA256
3aa0f8036601f3bfe5ebf0db45288e4e4868931aadc8b8bfca9fba89528882c3

SHA512
89f83d353f7c058815aad821303fe93d2f937d2666efdab9f8a60afbdfc0a44238bf6c68adbb2b55a8448a0f1a028733449cadbbe251aa7eca8e46e56a32d78b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
1KB

MD5
4c587dea57e61f93cf1572566e64d481

SHA1
8582e5d290d30c8f4f510b2a32dbabe9c543a833

SHA256
e1914d13f53ce17c7f401b006d80f640806f2b56a20e45248125872e44dfa77b

SHA512
eb90460bff6015f0aa01ad371e63e3cbdbc69684e57baf4e684a088a1ecd6b0df60d0184c9625ca3639d15dba8974f2b80866e3b76de1409198bc94271ba0829

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.7EAA8042ADBE7DD730DDF8CC5F2276958E8E71C33C39EC080D711F0D502086E3

Filesize
816B

MD5
a732e1bd51d7293fb84a1e63a3c26b00

SHA1
103f826fcfc54b4a71a0685065de915f5f2b9d80

SHA256
edb5a6a817111a85311f1a65dc19f36b4a7b73e3ef5566b1fbeb777ce7a85ae9

SHA512
ff4a5d3116938a2dfa2fc44e2d836769b8147e5e48a661bf2d5aa1a32567948df2a1bcec9dbd06c565ef1aea3a5be1416d705afe4a793b9c396fe6de07e8c048

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf791a92.TMP

Filesize
1KB

MD5
55c8b8f7864bdac10db539a6002f1682

SHA1
8d4c40c1fd34258fe0bd87a01c4453c94dee2538

SHA256
f672c54ea3e3f81351a07b54d2689097d58269a50a6626d349a98862c213b18b

SHA512
3137fadc212082f64889e4b2cf4a132f20641022949435840c145541b27ad15c57520bcccf256f66a0315b9f7070bfad34242d35371dff38db9a87c2cc162502

Download Submit
memory/1688-5302-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000000200000-0x000000000023C000-memory.dmp

Filesize
240KB

Download
memory/1688-2-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-565-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-5303-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-561-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2956-5305-0x000000001E160000-0x000000001E768000-memory.dmp

Filesize
6.0MB

Download
memory/2956-5306-0x000000001E770000-0x000000001E8F4000-memory.dmp

Filesize
1.5MB

Download
memory/2956-5307-0x000000001B790000-0x000000001B82E000-memory.dmp

Filesize
632KB

Download
memory/2956-5308-0x000000001CD40000-0x000000001CDF8000-memory.dmp

Filesize
736KB

Download
memory/2956-5323-0x000000001F750000-0x000000001F787000-memory.dmp

Filesize
220KB

Download
memory/2956-5324-0x000000001DBC0000-0x000000001DBCA000-memory.dmp

Filesize
40KB

Download