targetcompany | 26d9af84cabb56e8755bb9b8fdeb70f731afbb1da70c543effc63450e9a13018

General

Target

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
Size

125KB
MD5

b13a1e9c7ef5a51f64a58bae9b508e62
SHA1

e232747c02b5cab0a414190a0d8438f5be042000
SHA256

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe
SHA512

3f42f81505693089dc2595976c523f1568aee6cbe2565ba16b3e4b43a06b2533b4f2c63ba90afc2637380a32fbc5dd09b70e84ff932fe90482e0da84c0571afe
SSDEEP

3072:GA1PPaKgKdZqTXKopLuLgdgjgVE0e95NlmD:G6CKg8ZqTvpyLgd0gVqdE

Score

10^/10

targetcompany defense_evasion discovery evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft\How to decrypt files.txt

Family

targetcompany

Ransom Note

Your personal identifier: TIF3MW2QALL All files on Take It For Granit, INC. network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://w3nrsbh4n35dkujnho3yiv5ocntimv5nb3jg5fggvgw3dwrzdnmtlaqd.onion/TIF3MW2QALL * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�

URLs

http://w3nrsbh4n35dkujnho3yiv5ocntimv5nb3jg5fggvgw3dwrzdnmtlaqd.onion/TIF3MW2QALL

Signatures

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4556 bcdedit.exe
1988 bcdedit.exe
Renames multiple (5854) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

pid	process
4556	bcdedit.exe
1988	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

description	ioc	process
File opened (read-only)	\??\V:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\Y:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\B:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\H:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\J:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\K:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\L:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\N:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\F:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\W:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\X:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\U:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\E:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\M:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\O:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\Q:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\R:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\T:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\A:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\G:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\I:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\P:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\S:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened (read-only)	\??\Z:	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

Drops file in Program Files directory 64 IoCs

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\CompareRequest.jpeg	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\plugin.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main-selector.css	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\How to decrypt files.txt	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

3652 vssadmin.exe

pid	process
3652	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

pid	process
4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
Token: SeDebugPrivilege	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
Token: SeBackupPrivilege	1500	vssvc.exe
Token: SeRestorePrivilege	1500	vssvc.exe
Token: SeAuditPrivilege	1500	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.execmd.execmd.exe

description	pid	process	target process
PID 4288 wrote to memory of 3652	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe	vssadmin.exe
PID 4288 wrote to memory of 3652	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe	vssadmin.exe
PID 4288 wrote to memory of 4644	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe	cmd.exe
PID 4288 wrote to memory of 4644	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe	cmd.exe
PID 4288 wrote to memory of 4312	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe	cmd.exe
PID 4288 wrote to memory of 4312	4288	db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe	cmd.exe
PID 4644 wrote to memory of 4556	4644	cmd.exe	bcdedit.exe
PID 4644 wrote to memory of 4556	4644	cmd.exe	bcdedit.exe
PID 4312 wrote to memory of 1988	4312	cmd.exe	bcdedit.exe
PID 4312 wrote to memory of 1988	4312	cmd.exe	bcdedit.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe
"C:\Users\Admin\AppData\Local\Temp\db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3652
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4556
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\How to decrypt files.txt

Filesize
1KB

MD5
2ec73cd107a7b2a2a74fe885dbb806a3

SHA1
9ce7dcc184b0f3ae56379301428ff4a795af27b9

SHA256
3c911f67c2a94541505ba5bdbd8df7e45fcbb4b76a1132032029e02c2e9cec3a

SHA512
963655732f1d36d7af13ac14e7ef2944a78c09c001762db481e959231bb3755af36c9b0df04dfaaaa93278dcd0e4096f6be28802cc0756e70dbcce58def5fbe9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads