Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 11:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral3
Sample
51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral4
Sample
51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral6
Sample
E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
-
Size
257KB
-
MD5
6e080aa085293bb9fbdcc9015337d309
-
SHA1
51b4ef5dc9d26b7a26e214cee90598631e2eaa67
-
SHA256
9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
-
SHA512
4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77
-
SSDEEP
6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
Ransom Note
All your documents, photos, databases and other important files have been encrypted
with strongest encryption RSA-2048 key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
If you see the main encryptor red window, examine it and follow the instructions.
Otherwise, it seems that you or your antivirus deleted the encryptor program.
Now you have the last chance to decrypt your files.
Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com ,
https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser.
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
1KdTdDgxHMGJeFGL8xJRRj3HMi2PYBCycJ
Follow the instructions on the server.
If you have problems with gates, use direct connection:
1. Download Tor Browser from http://torproject.org
2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
1KdTdDgxHMGJeFGL8xJRRj3HMi2PYBCycJ
Follow the instructions on the server.
Wallets
1KdTdDgxHMGJeFGL8xJRRj3HMi2PYBCycJ
URLs
http://3kxwjihmkgibht2s.wh47f2as19.com
http://34r6hq26q2h4jkzj.7hwr34n18.com
https://3kxwjihmkgibht2s.s5.tor-gateways.de/
http://34r6hq26q2h4jkzj.onion/
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (379) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2880 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2116 stcnwbj.exe 2840 stcnwbj.exe -
Loads dropped DLL 3 IoCs
pid Process 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 2116 stcnwbj.exe 2840 stcnwbj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\stcnwbj.exe" stcnwbj.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" stcnwbj.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1740 set thread context of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 2116 set thread context of 2840 2116 stcnwbj.exe 33 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png stcnwbj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg stcnwbj.exe File created C:\Program Files\Reference Assemblies\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png stcnwbj.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt stcnwbj.exe File created C:\Program Files\Internet Explorer\it-IT\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt stcnwbj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css stcnwbj.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png stcnwbj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png stcnwbj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar stcnwbj.exe File created C:\Program Files\Microsoft Games\Mahjong\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\VideoLAN\VLC\locale\or_IN\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png stcnwbj.exe File created C:\Program Files\Microsoft Games\Solitaire\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png stcnwbj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak stcnwbj.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png stcnwbj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg stcnwbj.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt stcnwbj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv stcnwbj.exe File created C:\Program Files\Internet Explorer\es-ES\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\VideoLAN\VLC\locale\br\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt stcnwbj.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png stcnwbj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg stcnwbj.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png stcnwbj.exe File created C:\Program Files\Mozilla Firefox\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css stcnwbj.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak stcnwbj.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js stcnwbj.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt stcnwbj.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\HELP_RESTORE_FILES.txt stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png stcnwbj.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png stcnwbj.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HELP_RESTORE_FILES.txt stcnwbj.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\HELP_RESTORE_FILES.txt stcnwbj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stcnwbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stcnwbj.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3032 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" stcnwbj.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" stcnwbj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe 2840 stcnwbj.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe Token: SeDebugPrivilege 2840 stcnwbj.exe Token: SeBackupPrivilege 1272 vssvc.exe Token: SeRestorePrivilege 1272 vssvc.exe Token: SeAuditPrivilege 1272 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2840 stcnwbj.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 1740 wrote to memory of 2828 1740 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 31 PID 2828 wrote to memory of 2116 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 32 PID 2828 wrote to memory of 2116 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 32 PID 2828 wrote to memory of 2116 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 32 PID 2828 wrote to memory of 2116 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 32 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2116 wrote to memory of 2840 2116 stcnwbj.exe 33 PID 2828 wrote to memory of 2880 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 34 PID 2828 wrote to memory of 2880 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 34 PID 2828 wrote to memory of 2880 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 34 PID 2828 wrote to memory of 2880 2828 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 34 PID 2840 wrote to memory of 3032 2840 stcnwbj.exe 36 PID 2840 wrote to memory of 3032 2840 stcnwbj.exe 36 PID 2840 wrote to memory of 3032 2840 stcnwbj.exe 36 PID 2840 wrote to memory of 3032 2840 stcnwbj.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exeC:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\stcnwbj.exeC:\Users\Admin\AppData\Roaming\stcnwbj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\stcnwbj.exeC:\Users\Admin\AppData\Roaming\stcnwbj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:3032
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\51B4EF~1.EXE >> NUL3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2880
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ebbe83d3e23ed134c0e1f21066efeb4a
SHA1c130f642a06bf66553c20f165ac6e5b6c4884a57
SHA25653b764c9f9275181193d9d167ec4f649a75602b80a01f6e81066af93bfc8f738
SHA5127d4a021bdcf4a50d66ba426092ecfd2fc24e7dd34c8e3f160c20d7a2380cab912451965122b451d835679abd34960a7769f9c2155d9a79d51cc7f08e170ab2a1
-
Filesize
257KB
MD56e080aa085293bb9fbdcc9015337d309
SHA151b4ef5dc9d26b7a26e214cee90598631e2eaa67
SHA2569b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
SHA5124e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77