Malware Analysis Report

2024-10-19 07:15

Sample ID 240915-p3e4kavfmn
Target Encrypt.exe
SHA256 b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
Tags
chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286

Threat Level: Known bad

The file Encrypt.exe was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer

Chaos Ransomware

Chaos

Chaos family

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Suspicious Office macro

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Interacts with shadow copies

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-15 12:50

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-15 12:50

Reported

2024-09-15 13:21

Platform

win7-20240903-en

Max time kernel

1798s

Max time network

1557s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Encrypt.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\Encrypt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\39RANI6K\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aj199hbrl.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u58iz0elw.jpg" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Encrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2188 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2748 wrote to memory of 2552 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2748 wrote to memory of 2552 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2748 wrote to memory of 2552 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2748 wrote to memory of 2552 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2552 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2784 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2784 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2816 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\wbadmin.exe
PID 2816 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\wbadmin.exe
PID 2816 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\wbadmin.exe
PID 2192 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2192 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2192 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2192 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2192 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2192 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2816 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 616 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 616 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 616 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 616 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 616 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 616 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2816 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3064 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3064 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3064 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2120 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2120 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2120 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2816 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2816 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2816 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2552 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 356 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 356 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 356 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 356 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 356 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 356 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2552 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Encrypt.exe

"C:\Users\Admin\AppData\Local\Temp\Encrypt.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 xred.mooo.com udp

Files

memory/2188-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 8728ba233fcb020a6a2eaabb90df630c
SHA1 c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7
SHA256 b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
SHA512 24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe

MD5 e7d91103647b76f121b854fe806f80e2
SHA1 e6adca5f83dfb2cca099cf18d6960d422b82bb9e
SHA256 04ed744d9643830fc5f0499203a6fde506b5f2c89868695bfe179a8edb3b28c0
SHA512 69dc672bfe3a89ebe71b8041159afab0231701ea59438feb1f000ddddf52627c1f7c6f36bd8c2f77f037dd2659e6ef8f27db283476dae228522051659f2f67b0

memory/2188-25-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2784-26-0x0000000000B70000-0x0000000000BFC000-memory.dmp

memory/2552-36-0x0000000000370000-0x00000000003FC000-memory.dmp

memory/2572-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u46mEwOC.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/2816-72-0x0000000000E20000-0x0000000000EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u46mEwOC.xlsm

MD5 49800a23f41ad3b0a70b40012eeaea78
SHA1 ddf388f5520f3fff090200f5a5dc375f85031c9a
SHA256 0d13e2050b3fb50dea61a38a32894a7d5d4b0adb757afb50aee171b385fb2d72
SHA512 684f73692d535b591192ecc78e91e7dfc29c905b382df996fe4e72e0e82e50ef6d38cbf3a058621422f28c431d0bab0861e9b902f07d3c84031391c06552de8b

C:\Users\Admin\AppData\Local\Temp\u46mEwOC.xlsm

MD5 1efba757a4b6b02dddcdfecc257b7e2a
SHA1 0639af69754ed51267969fd8b0f966619a792267
SHA256 c30b1a68683c4f165a72d163c50bf5821613a18381c9187d7be2e0fce04ff1ce
SHA512 83fe65d4b539f51b45c0e1b9871707fd665f56e273b4749d4a683eceaf83f8dfee5f91e6e66b3550baea9a7b8499ca74aa33b78a2b9c427d7daed7db080f10a9

C:\Users\Admin\AppData\Local\Temp\u46mEwOC.xlsm

MD5 2a1e339222cff63ea70026762ebabe8f
SHA1 c4225ced64a797f236084e0172e2a3d2cce9e785
SHA256 b24fdfbcdb77ec44a5ae289be261a16549fc2fa6c17c930a32bed9dffbc29ce9
SHA512 409857427ef988797beb252523e3ff1f92fbca8851b74055bd2a76ec0c04bdaefad3b6ffac4e0ed1d4161b344ceb27a3350490aee866f2ca83caa6310694db80

C:\Users\Admin\AppData\Local\Temp\u46mEwOC.xlsm

MD5 affa910ab495a2adacfc9b4c0516c987
SHA1 f64f5c274e1236fd253dd783e045dd2c53b3fb5e
SHA256 143ce97a6d9c36b88f5cc1f7dd10b5fb847baf88ce582046fec7b9606ebe1464
SHA512 074ad361b756943decea3e9f77bcf9f34a47ec4afeb88abb8319e8adaec10213a3cab95f1d3c3bbd4e02c51ab8834aca20bb9ae988b4d2a14d3b74e13098be4a

C:\Users\Admin\Documents\~$UsePush.xlsx

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt

MD5 76e381f78e94c35d358a4fc048d3aa37
SHA1 361d4153f76f32d36c1edd3da27e59f41f7e2d0f
SHA256 db317b799b14715d1b26661dd60570faa3b5c377656d490cd2697f78271c413f
SHA512 ef1d2bd09d8e34eb6260d11a3ac821cdd1b6aa1dba0c8616cbed1d233979d39ceb00c369ccabb6630324ef0027a83b6b61729b2ed66d55bf249387782a1fe4e3

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.pk8m

MD5 6caf311fcc5b55bd88d95ab2dd090463
SHA1 dd09aafdae4ad3978e91028ac6ebf88582289775
SHA256 d3978d0cd5c9ce1badb3bf34dba36330279e5524ce1d9e3d9b281387224fb3da
SHA512 c8f7ac8c8ca72c3e63c2759772c581e29118cfe4b4d96d67db41f6f48a6c62f42cb6c4ab3238b0e7ef84f3db7dc45bc40feee2e3d875046b265059c5a78d9486

C:\Users\Admin\AppData\Local\Temp\aj199hbrl.jpg

MD5 c8815393aca12a41ac61c6c90fbc3913
SHA1 cc2d2e9adee90a390602e020df9c7d1bff606b6e
SHA256 6b50e64f52faf9ba766226f414d9baa84fa82b9dc8e1dedcf11923f2d6944b3e
SHA512 6c5ce41ab6885d1e20ce894bf4286c2469f341fc96d90eb2187e782324066f649ffdeedfb46fc14831c00cdceb180c39a5e910bc00f12b5607efed5baf17a9e9

memory/2748-1161-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2748-1162-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2748-1197-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2748-1253-0x0000000000400000-0x0000000000545000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-15 12:50

Reported

2024-09-15 12:54

Platform

win10v2004-20240802-en

Max time kernel

208s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Encrypt.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Encrypt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\Encrypt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xv3o7xhfr.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Encrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Encrypt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
PID 3896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe
PID 3896 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3896 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3896 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\Encrypt.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1716 wrote to memory of 1988 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1716 wrote to memory of 1988 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1988 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1988 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3848 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3848 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4600 wrote to memory of 2828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4600 wrote to memory of 2828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4600 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4600 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3848 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3848 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1524 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1524 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1524 wrote to memory of 116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1524 wrote to memory of 116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3848 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3848 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 5012 wrote to memory of 3732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5012 wrote to memory of 3732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3848 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 3848 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2524 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Encrypt.exe

"C:\Users\Admin\AppData\Local\Temp\Encrypt.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3896-0-0x00000000023E0000-0x00000000023E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_Encrypt.exe

MD5 e7d91103647b76f121b854fe806f80e2
SHA1 e6adca5f83dfb2cca099cf18d6960d422b82bb9e
SHA256 04ed744d9643830fc5f0499203a6fde506b5f2c89868695bfe179a8edb3b28c0
SHA512 69dc672bfe3a89ebe71b8041159afab0231701ea59438feb1f000ddddf52627c1f7c6f36bd8c2f77f037dd2659e6ef8f27db283476dae228522051659f2f67b0

C:\ProgramData\Synaptics\Synaptics.exe

MD5 8728ba233fcb020a6a2eaabb90df630c
SHA1 c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7
SHA256 b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
SHA512 24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

memory/2524-70-0x00007FF999443000-0x00007FF999445000-memory.dmp

memory/2524-71-0x00000000006C0000-0x000000000074C000-memory.dmp

memory/3896-129-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2524-131-0x00007FF999440000-0x00007FF999F01000-memory.dmp

memory/4756-192-0x00007FF977730000-0x00007FF977740000-memory.dmp

memory/4756-194-0x00007FF977730000-0x00007FF977740000-memory.dmp

memory/4756-195-0x00007FF977730000-0x00007FF977740000-memory.dmp

memory/4756-196-0x00007FF977730000-0x00007FF977740000-memory.dmp

memory/4756-193-0x00007FF977730000-0x00007FF977740000-memory.dmp

memory/4756-197-0x00007FF975620000-0x00007FF975630000-memory.dmp

memory/4756-198-0x00007FF975620000-0x00007FF975630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mTTH21gL.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\DCA75E00

MD5 49fe6a355ddf5caade5b2851f64aa250
SHA1 3bbe456b7c58386b3c181da2f99863275fb6086d
SHA256 16d7c926d3fd48a948961720495ca7384fe6052ea9eed544541e7181e382ea06
SHA512 fd9ac255273383abb7c695ffd082944914bf686a8d9406bd1207357ea056c9dc8981c9a3596eb5313801b0d39994c2ab7fb8faa158f45734d1f7e1c9bdf16218

C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\read_it.txt

MD5 76e381f78e94c35d358a4fc048d3aa37
SHA1 361d4153f76f32d36c1edd3da27e59f41f7e2d0f
SHA256 db317b799b14715d1b26661dd60570faa3b5c377656d490cd2697f78271c413f
SHA512 ef1d2bd09d8e34eb6260d11a3ac821cdd1b6aa1dba0c8616cbed1d233979d39ceb00c369ccabb6630324ef0027a83b6b61729b2ed66d55bf249387782a1fe4e3

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\._cache_Synaptics.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\~$mTTH21gL.xlsm

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.fmdx

MD5 51b2050e9ee0eeb9b322755fd87edddf
SHA1 92245b33257b9c90196bc6a81245106b298cf88b
SHA256 eec473615513c26e38896bb84739ac3a024356c081d0d68b166540bce3c19f0e
SHA512 51bc8e58fc672f19220eae2435b7556a7c9c6371145f990012935a7cd8a32a512a2d4b18439aacf4d2e7f0243976a7c2991fc5fa052a6e60d65309a047817a05

memory/2524-1611-0x00007FF999443000-0x00007FF999445000-memory.dmp

memory/1716-1612-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2524-1613-0x00007FF999440000-0x00007FF999F01000-memory.dmp

memory/2524-1616-0x00007FF999440000-0x00007FF999F01000-memory.dmp

memory/1716-1643-0x0000000000400000-0x0000000000545000-memory.dmp