Overview
overview
10Static
static
10samples.zip
windows7-x64
1samples.zip
windows10-2004-x64
1samples/$I30
windows7-x64
1samples/$I30
windows10-2004-x64
1samples/Everything.db
windows7-x64
3samples/Everything.db
windows10-2004-x64
3samples/Ev...eslack
windows7-x64
3samples/Ev...eslack
windows10-2004-x64
3samples/Ev...ng.exe
windows7-x64
6samples/Ev...ng.exe
windows10-2004-x64
6samples/Ev...ng.ini
windows7-x64
1samples/Ev...ng.ini
windows10-2004-x64
1samples/Ev...eslack
windows7-x64
3samples/Ev...eslack
windows10-2004-x64
3samples/Ev...32.dll
windows7-x64
3samples/Ev...32.dll
windows10-2004-x64
3samples/Ev...eslack
windows7-x64
3samples/Ev...eslack
windows10-2004-x64
3samples/Ev...g64.7z
windows7-x64
3samples/Ev...g64.7z
windows10-2004-x64
3samples/fr...ng.exe
windows7-x64
10samples/fr...ng.exe
windows10-2004-x64
10samples/session.tmp
windows7-x64
3samples/session.tmp
windows10-2004-x64
3Analysis
-
max time kernel
34s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 14:34
Behavioral task
behavioral1
Sample
samples.zip
Resource
win7-20240903-en
windows7-x64
0 signatures
1200 seconds
Behavioral task
behavioral2
Sample
samples.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
1200 seconds
Behavioral task
behavioral3
Sample
samples/$I30
Resource
win7-20240903-en
windows7-x64
0 signatures
1200 seconds
Behavioral task
behavioral4
Sample
samples/$I30
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
1200 seconds
Behavioral task
behavioral5
Sample
samples/Everything.db
Resource
win7-20240704-en
windows7-x64
1 signatures
1200 seconds
Behavioral task
behavioral6
Sample
samples/Everything.db
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
1200 seconds
Behavioral task
behavioral7
Sample
samples/Everything.db.fileslack
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral8
Sample
samples/Everything.db.fileslack
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral9
Sample
samples/Everything.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
1200 seconds
Behavioral task
behavioral10
Sample
samples/Everything.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral11
Sample
samples/Everything.ini
Resource
win7-20240903-en
windows7-x64
1 signatures
1200 seconds
Behavioral task
behavioral12
Sample
samples/Everything.ini
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
1200 seconds
Behavioral task
behavioral13
Sample
samples/Everything.ini.fileslack
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral14
Sample
samples/Everything.ini.fileslack
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral15
Sample
samples/Everything32.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
1200 seconds
Behavioral task
behavioral16
Sample
samples/Everything32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
1200 seconds
Behavioral task
behavioral17
Sample
samples/Everything32.dll.fileslack
Resource
win7-20240708-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral18
Sample
samples/Everything32.dll.fileslack
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral19
Sample
samples/Everything64.7z
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral20
Sample
samples/Everything64.7z
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral21
Sample
samples/freeworldencrypting.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
1200 seconds
Behavioral task
behavioral22
Sample
samples/freeworldencrypting.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
31 signatures
1200 seconds
Behavioral task
behavioral23
Sample
samples/session.tmp
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral24
Sample
samples/session.tmp
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
General
-
Target
samples/freeworldencrypting.exe
-
Size
2.0MB
-
MD5
22c109d5539b862d629daa01673352cd
-
SHA1
2eed43bf7f139243d9ef93bf4ed0903ced8a08b5
-
SHA256
f5a331009d6e46236036c2de3578f2a8414742271ed4b23496859c8b99f5c4de
-
SHA512
3d251c3c633f24b1ddf7d1f5dcf8a2c8093c892c0a1e5577aec8dc01fcf50aebdc0d481c96f65d83dadd7a7873c2e8013761b16728bd5f6e3621977b2ae46bc2
-
SSDEEP
49152:wa/RPnb1b+uL5KTu8l6VP/DOdmGtPY4ldP1nKESY:wa/RTd56M9/DmmGmMP
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral21/files/0x000500000001a431-22.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe freeworldencrypting.exe -
Executes dropped EXE 5 IoCs
pid Process 2316 freeworldencrypting.exe 2744 freeworldencrypting.exe 2364 freeworldencrypting.exe 2624 freeworldencrypting.exe 2600 Everything.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 freeworldencrypting.exe 2316 freeworldencrypting.exe 2364 freeworldencrypting.exe 2744 freeworldencrypting.exe 2624 freeworldencrypting.exe 2316 freeworldencrypting.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\freeworldencrypting = "\"C:\\Users\\Admin\\AppData\\Local\\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\\freeworldencrypting.exe\" " freeworldencrypting.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\S: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2512 powercfg.exe 2740 powercfg.exe 2692 powercfg.exe 2632 powercfg.exe 2756 powercfg.exe 1652 powercfg.exe 2612 powercfg.exe 2616 powercfg.exe 2788 powercfg.exe 2892 powercfg.exe 2440 powercfg.exe 2100 powercfg.exe 2668 powercfg.exe 1716 powercfg.exe 2640 powercfg.exe -
pid Process 1260 powershell.exe 1528 powershell.exe 2164 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\.EncryptedDATA freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EncryptedDATA\ = "mimicfile" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command freeworldencrypting.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 2316 freeworldencrypting.exe 1260 powershell.exe 1528 powershell.exe 2164 powershell.exe 2316 freeworldencrypting.exe 2364 freeworldencrypting.exe 2624 freeworldencrypting.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2120 freeworldencrypting.exe Token: SeSecurityPrivilege 2120 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 2120 freeworldencrypting.exe Token: SeLoadDriverPrivilege 2120 freeworldencrypting.exe Token: SeSystemProfilePrivilege 2120 freeworldencrypting.exe Token: SeSystemtimePrivilege 2120 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 2120 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 2120 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 2120 freeworldencrypting.exe Token: SeBackupPrivilege 2120 freeworldencrypting.exe Token: SeRestorePrivilege 2120 freeworldencrypting.exe Token: SeShutdownPrivilege 2120 freeworldencrypting.exe Token: SeDebugPrivilege 2120 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 2120 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 2120 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 2120 freeworldencrypting.exe Token: SeUndockPrivilege 2120 freeworldencrypting.exe Token: SeManageVolumePrivilege 2120 freeworldencrypting.exe Token: SeImpersonatePrivilege 2120 freeworldencrypting.exe Token: SeCreateGlobalPrivilege 2120 freeworldencrypting.exe Token: 33 2120 freeworldencrypting.exe Token: 34 2120 freeworldencrypting.exe Token: 35 2120 freeworldencrypting.exe Token: SeIncreaseQuotaPrivilege 2316 freeworldencrypting.exe Token: SeSecurityPrivilege 2316 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 2316 freeworldencrypting.exe Token: SeLoadDriverPrivilege 2316 freeworldencrypting.exe Token: SeSystemProfilePrivilege 2316 freeworldencrypting.exe Token: SeSystemtimePrivilege 2316 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 2316 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 2316 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 2316 freeworldencrypting.exe Token: SeBackupPrivilege 2316 freeworldencrypting.exe Token: SeRestorePrivilege 2316 freeworldencrypting.exe Token: SeShutdownPrivilege 2316 freeworldencrypting.exe Token: SeDebugPrivilege 2316 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 2316 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 2316 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 2316 freeworldencrypting.exe Token: SeUndockPrivilege 2316 freeworldencrypting.exe Token: SeManageVolumePrivilege 2316 freeworldencrypting.exe Token: SeImpersonatePrivilege 2316 freeworldencrypting.exe Token: SeCreateGlobalPrivilege 2316 freeworldencrypting.exe Token: 33 2316 freeworldencrypting.exe Token: 34 2316 freeworldencrypting.exe Token: 35 2316 freeworldencrypting.exe Token: SeShutdownPrivilege 2756 powercfg.exe Token: SeShutdownPrivilege 2756 powercfg.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeIncreaseQuotaPrivilege 2744 freeworldencrypting.exe Token: SeSecurityPrivilege 2744 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 2744 freeworldencrypting.exe Token: SeLoadDriverPrivilege 2744 freeworldencrypting.exe Token: SeSystemProfilePrivilege 2744 freeworldencrypting.exe Token: SeSystemtimePrivilege 2744 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 2744 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 2744 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 2744 freeworldencrypting.exe Token: SeBackupPrivilege 2744 freeworldencrypting.exe Token: SeRestorePrivilege 2744 freeworldencrypting.exe Token: SeShutdownPrivilege 2744 freeworldencrypting.exe Token: SeDebugPrivilege 2744 freeworldencrypting.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2600 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2316 2120 freeworldencrypting.exe 31 PID 2120 wrote to memory of 2316 2120 freeworldencrypting.exe 31 PID 2120 wrote to memory of 2316 2120 freeworldencrypting.exe 31 PID 2120 wrote to memory of 2316 2120 freeworldencrypting.exe 31 PID 2316 wrote to memory of 2920 2316 freeworldencrypting.exe 32 PID 2316 wrote to memory of 2920 2316 freeworldencrypting.exe 32 PID 2316 wrote to memory of 2920 2316 freeworldencrypting.exe 32 PID 2316 wrote to memory of 2920 2316 freeworldencrypting.exe 32 PID 2316 wrote to memory of 2744 2316 freeworldencrypting.exe 33 PID 2316 wrote to memory of 2744 2316 freeworldencrypting.exe 33 PID 2316 wrote to memory of 2744 2316 freeworldencrypting.exe 33 PID 2316 wrote to memory of 2744 2316 freeworldencrypting.exe 33 PID 2316 wrote to memory of 2624 2316 freeworldencrypting.exe 34 PID 2316 wrote to memory of 2624 2316 freeworldencrypting.exe 34 PID 2316 wrote to memory of 2624 2316 freeworldencrypting.exe 34 PID 2316 wrote to memory of 2624 2316 freeworldencrypting.exe 34 PID 2316 wrote to memory of 2364 2316 freeworldencrypting.exe 35 PID 2316 wrote to memory of 2364 2316 freeworldencrypting.exe 35 PID 2316 wrote to memory of 2364 2316 freeworldencrypting.exe 35 PID 2316 wrote to memory of 2364 2316 freeworldencrypting.exe 35 PID 2316 wrote to memory of 2640 2316 freeworldencrypting.exe 37 PID 2316 wrote to memory of 2640 2316 freeworldencrypting.exe 37 PID 2316 wrote to memory of 2640 2316 freeworldencrypting.exe 37 PID 2316 wrote to memory of 2640 2316 freeworldencrypting.exe 37 PID 2316 wrote to memory of 2892 2316 freeworldencrypting.exe 38 PID 2316 wrote to memory of 2892 2316 freeworldencrypting.exe 38 PID 2316 wrote to memory of 2892 2316 freeworldencrypting.exe 38 PID 2316 wrote to memory of 2892 2316 freeworldencrypting.exe 38 PID 2316 wrote to memory of 2756 2316 freeworldencrypting.exe 39 PID 2316 wrote to memory of 2756 2316 freeworldencrypting.exe 39 PID 2316 wrote to memory of 2756 2316 freeworldencrypting.exe 39 PID 2316 wrote to memory of 2756 2316 freeworldencrypting.exe 39 PID 2316 wrote to memory of 2788 2316 freeworldencrypting.exe 40 PID 2316 wrote to memory of 2788 2316 freeworldencrypting.exe 40 PID 2316 wrote to memory of 2788 2316 freeworldencrypting.exe 40 PID 2316 wrote to memory of 2788 2316 freeworldencrypting.exe 40 PID 2316 wrote to memory of 2616 2316 freeworldencrypting.exe 43 PID 2316 wrote to memory of 2616 2316 freeworldencrypting.exe 43 PID 2316 wrote to memory of 2616 2316 freeworldencrypting.exe 43 PID 2316 wrote to memory of 2616 2316 freeworldencrypting.exe 43 PID 2316 wrote to memory of 2612 2316 freeworldencrypting.exe 44 PID 2316 wrote to memory of 2612 2316 freeworldencrypting.exe 44 PID 2316 wrote to memory of 2612 2316 freeworldencrypting.exe 44 PID 2316 wrote to memory of 2612 2316 freeworldencrypting.exe 44 PID 2316 wrote to memory of 2632 2316 freeworldencrypting.exe 45 PID 2316 wrote to memory of 2632 2316 freeworldencrypting.exe 45 PID 2316 wrote to memory of 2632 2316 freeworldencrypting.exe 45 PID 2316 wrote to memory of 2632 2316 freeworldencrypting.exe 45 PID 2316 wrote to memory of 2668 2316 freeworldencrypting.exe 47 PID 2316 wrote to memory of 2668 2316 freeworldencrypting.exe 47 PID 2316 wrote to memory of 2668 2316 freeworldencrypting.exe 47 PID 2316 wrote to memory of 2668 2316 freeworldencrypting.exe 47 PID 2316 wrote to memory of 2692 2316 freeworldencrypting.exe 48 PID 2316 wrote to memory of 2692 2316 freeworldencrypting.exe 48 PID 2316 wrote to memory of 2692 2316 freeworldencrypting.exe 48 PID 2316 wrote to memory of 2692 2316 freeworldencrypting.exe 48 PID 2316 wrote to memory of 2740 2316 freeworldencrypting.exe 49 PID 2316 wrote to memory of 2740 2316 freeworldencrypting.exe 49 PID 2316 wrote to memory of 2740 2316 freeworldencrypting.exe 49 PID 2316 wrote to memory of 2740 2316 freeworldencrypting.exe 49 PID 2316 wrote to memory of 1652 2316 freeworldencrypting.exe 52 PID 2316 wrote to memory of 1652 2316 freeworldencrypting.exe 52 PID 2316 wrote to memory of 1652 2316 freeworldencrypting.exe 52 PID 2316 wrote to memory of 1652 2316 freeworldencrypting.exe 52 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System freeworldencrypting.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\samples\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\Temp\samples\freeworldencrypting.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"2⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D3⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e watch -pid 2316 -!3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e ul13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e ul23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -H off3⤵
- Power Settings
PID:2640
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:2892
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:2788
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:2616
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2612
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:2632
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:2668
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2692
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:2740
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:1652
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2512
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:2100
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
PID:1716
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb613⤵
- Power Settings
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe" -startup3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56e4a12d35893ed1115749b48393b5200
SHA1fbd8f6e92ecaf2e50dc3d0f53d21815059b1b6ba
SHA2560b3f8ab04d1c18025a671424df02b55805ae7fbc7eeefd7bdc5801264d287aa4
SHA51240c0fde7ca92b50c7664abf6d959592e7a26a8054b0f0c3d6273ffc63e1dc64a6e8c2c3af6791aa365a7ca64dd6905bd9d6670b6f68c33e59cd4adf608e6db38
-
Filesize
27.1MB
MD529bbcfc4cf4da12cd403deeb806691cf
SHA14414c6fb81b3f3501934fe2c81db563b5dee5334
SHA2569f323e6284dec51c09ffe8d2ade136b78c30e00a06783d4ca296e2fec3a49fab
SHA512971265f344fd6ecefbbdc82fee8a22d7debf84c3132ac2a52bc542e96dfe2b70536f0c187a38bdff827a65fdb11e09a85136938744fdc721f9e0085e5f375487
-
Filesize
3KB
MD53f0813615deaad7b64e2e31bb5cd1aa2
SHA10aa7d06ccf31b480eb4ed00708b2ea429a8efe57
SHA256af6225e4b8d9987a20a07cc26125a9e6151d5ef3b6a1dccd6e5f395f1cd23861
SHA512bbe6c451bb64a6c4a1f30235c0dc982601b307c6f706f9d16507a2f8a8a321c24c79b9d649f09b5da9e3ac6eaa318ff92e17305d8916f7806ace11a2667e1fa9
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
20KB
MD5472ee5a9b076aede5574eb747412cc8a
SHA1cb1541d2aad53309e82c44cb99c220e02bc219d2
SHA2567854d3d94db23ed7e453f30e4a5e302bea209b2ebb60b5554dbc78ac1caefe4d
SHA51222407550d8c602fc2f6c70a671ec948770f8df494e2613d66efb8625f75adaea8047d35931e97c6a841b786fca9b2922e805799f149b58f34c881e5605b8f86a
-
Filesize
3KB
MD5fd4589304a588a420da7dd0b56784130
SHA13a8267d2459cef2d9ea4d782eef8ec2876fbecaa
SHA256a3041b2a3f207ad2e467085b36ca51eae3a5d60f899251c9d5c4c9b248c60482
SHA51228aa740ab94e8643af5339e6cbc4af38cf68c58f76b163e4b2fc0875802889abb2689507e4bd15eab62c095c5d852ab54c200324179c0f804e8158c8c71c1a67
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3KB
MD5392c3b27af6755b705128fc738d77348
SHA11c23542f187fcff5aca60532fe6d30517e84c57d
SHA256ea920d619c25a834bdf2fe7c82d36be2150a530ec1f5215cda741b23d29823cb
SHA512901fe1a3ca757b2a883c49776ecda903b0fa521d584466416bcaa97ea83c2319692d399212cf9bf3c794df2e51ea8c452b120d944e6af139022097a800e3b072
-
Filesize
2.2MB
MD5696682f1a9d5efcd5cfe72adf2649efb
SHA163ac46cd91decfe85d57c4d3fba0cbb7124edb83
SHA256bfc7bd83edc3aacf0130900b63f2f2ee2ffeb961cf749719f09b68660381a2f0
SHA512d2b33184d1bfe2a050bf0050af24a5c28408b856dd73214d058ca23ddbf75b2edd44ed677d22c548768df897152c7cca5359ad8526e0a60c811221cb156c0529
-
Filesize
32B
MD5c241eda7e1143981d8cf780be372d33a
SHA19ed5184329f8f6c41740b69c5f7404ce4294dd35
SHA256b5b4a55f7a189862bcb90aeab4abf005a472598f79914b28d1e5a0cda0441b6f
SHA51219db4988951005449ee72e41646c21b9ffa3a9ab9b6ca8b51a624ffcb668a9456a0747bb5bb7360eeaf85110ede13b263d3e49e0341f0b9a48ed005fff255872
-
Filesize
1KB
MD530797274eff2ec1a2df9e81fa85b0047
SHA1d42a4b1c3d34f0de8003f61fc0a8ce893deee230
SHA256ca9c94e4dcc26ae2f596590fa7297bb2a4b74811ae88f57dadba8c9ffc79bb51
SHA51211a12c1f1048b65653e8cdfa4e96caf594dd18b89e8dcb34965ede7d14124f2296ac3a706b3d0e5ee1131b9cdfbe120e34f7938e12a84a4b2f7272deb62643f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54d877576bc93ec82bf8b7b0dc18b93a1
SHA1bab24b4bf83f4b3e1d44d6c37c0af8b02ef8780a
SHA256719dd9c5bcc00d402a7a29b1da07d9e1f9ecaf7cc0d7973d3c32c0cdd0e59ee3
SHA512bc87751f38d641cde6d8d84d94b2e1eda8604bbfae4425d992d07a8e4fa60b63f0035481b7dcf72dc4871b4cb9e4fa0e5428a3d33b8f4a310ce850451adb3e5c
-
Filesize
2.0MB
MD522c109d5539b862d629daa01673352cd
SHA12eed43bf7f139243d9ef93bf4ed0903ced8a08b5
SHA256f5a331009d6e46236036c2de3578f2a8414742271ed4b23496859c8b99f5c4de
SHA5123d251c3c633f24b1ddf7d1f5dcf8a2c8093c892c0a1e5577aec8dc01fcf50aebdc0d481c96f65d83dadd7a7873c2e8013761b16728bd5f6e3621977b2ae46bc2