3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673

Analysis

max time kernel
75s
max time network
80s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
Size

127KB
MD5

1f6297d8f742cb578bfa59735120326b
SHA1

ff6eca213cad5c2a139fc0dc0dc6a8e6d3df7b17
SHA256

3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673
SHA512

f9ade063be2ae5861248472aff857b2e0506d4705ff779972ade7482bb7797521338dd9a842f048d5ba1697719b22a3ba596370c37f4352a2527dbe1997edfd1
SSDEEP

3072:AJ+vDJMMKvaJw4N7JPohaNviHZoJ8J58:AIDmMKCJwc7JPoYNvf

Score

10^/10

defense_evasion discovery evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Program Files\RECOVERY INFORMATION.txt

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] YOUR PERSONAL ID: B888113B07CB �

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2976	bcdedit.exe
2644	bcdedit.exe

Renames multiple (6819) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\X:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\H:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\K:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\N:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\S:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\U:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\Z:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\F:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\A:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\O:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\R:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\T:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\B:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\J:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\M:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\L:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\P:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\Q:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\W:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\Y:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\E:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\G:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened (read-only)	\??\I:	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAILMOD.POC	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4F.GIF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158071.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00177_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02068_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Simple.dotx	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241773.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239955.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\Java\jre7\lib\security\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14516_.GIF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RECOVERY INFORMATION.txt	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2192	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
Token: SeDebugPrivilege	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2192	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	30
PID 2220 wrote to memory of 2192	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	30
PID 2220 wrote to memory of 2192	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	30
PID 2220 wrote to memory of 2192	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	30
PID 2220 wrote to memory of 2712	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	31
PID 2220 wrote to memory of 2712	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	31
PID 2220 wrote to memory of 2712	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	31
PID 2220 wrote to memory of 2712	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	31
PID 2220 wrote to memory of 2732	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	33
PID 2220 wrote to memory of 2732	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	33
PID 2220 wrote to memory of 2732	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	33
PID 2220 wrote to memory of 2732	2220	3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe	33
PID 2712 wrote to memory of 2976	2712	cmd.exe	36
PID 2712 wrote to memory of 2976	2712	cmd.exe	36
PID 2712 wrote to memory of 2976	2712	cmd.exe	36
PID 2732 wrote to memory of 2644	2732	cmd.exe	37
PID 2732 wrote to memory of 2644	2732	cmd.exe	37
PID 2732 wrote to memory of 2644	2732	cmd.exe	37
PID 2384 wrote to memory of 584	2384	chrome.exe	47
PID 2384 wrote to memory of 584	2384	chrome.exe	47
PID 2384 wrote to memory of 584	2384	chrome.exe	47
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 3032	2384	chrome.exe	49
PID 2384 wrote to memory of 1532	2384	chrome.exe	50
PID 2384 wrote to memory of 1532	2384	chrome.exe	50
PID 2384 wrote to memory of 1532	2384	chrome.exe	50
PID 2384 wrote to memory of 2488	2384	chrome.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe
"C:\Users\Admin\AppData\Local\Temp\3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2192
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2976
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\GroupRequest.wmv.exploit
1⤵
- Modifies registry class
PID:2064

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\GroupRequest.wmv.exploit
1⤵
- Modifies registry class
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6499758,0x7fef6499768,0x7fef6499778
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1348 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:2
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1280,i,10230598750268428368,1558557592302470905,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3472
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f957688,0x13f957698,0x13f9576a8
    3⤵
    PID:3460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2692

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RECOVERY INFORMATION.txt

Filesize
642B

MD5
90c7c471ba449fffb354f3d37345596d

SHA1
2b3de6d42bad77cdae35b8a7f418cc04500b3b5e

SHA256
0d8def60facc3206ea1e907941d649883082aeaf78e452f3a31b66e9a89355f0

SHA512
924cb0e513910b4bf4419bd4ae02e4d2c98989d2832d88e34a275390ad613cf3e61a572c78b8210801c52d66585b317132a07c978d744ef77f8bb5d764bb669e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5809af92-08ea-49bb-b4bd-b1f3de361be3.tmp

Filesize
5KB

MD5
5a7ad639b46ef05f3e9258306c1717ad

SHA1
d0e034d2ee591de35c98c5bcdc8840696a418ec5

SHA256
63c4a5ef0ff824fc3579a3591a256c89c52557e677a2047c871f65787e9998a1

SHA512
66b4b470777ffc3307a5c1623c2c4cd2e9540049c12d2e76ec1533d5c169fe72637152145328487e6b3f93dce8ada51d2f69c8b3a10f53e36cdced9545002b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit