Overview
overview
10Static
static
10samples.zip
windows7-x64
1samples.zip
windows10-2004-x64
1samples/Ev...ng.exe
windows7-x64
6samples/Ev...ng.exe
windows10-2004-x64
6samples/Ev...32.dll
windows7-x64
3samples/Ev...32.dll
windows10-2004-x64
3samples/fr...ng.exe
windows7-x64
10samples/fr...ng.exe
windows10-2004-x64
10Analysis
-
max time kernel
361s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 14:36
Behavioral task
behavioral1
Sample
samples.zip
Resource
win7-20240903-en
windows7-x64
0 signatures
600 seconds
Behavioral task
behavioral2
Sample
samples.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
600 seconds
Behavioral task
behavioral3
Sample
samples/Everything.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
600 seconds
Behavioral task
behavioral4
Sample
samples/Everything.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
600 seconds
Behavioral task
behavioral5
Sample
samples/Everything32.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
600 seconds
Behavioral task
behavioral6
Sample
samples/Everything32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
600 seconds
Behavioral task
behavioral7
Sample
samples/freeworldencrypting.exe
Resource
win7-20240708-en
windows7-x64
30 signatures
600 seconds
Behavioral task
behavioral8
Sample
samples/freeworldencrypting.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
31 signatures
600 seconds
General
-
Target
samples/freeworldencrypting.exe
-
Size
2.0MB
-
MD5
22c109d5539b862d629daa01673352cd
-
SHA1
2eed43bf7f139243d9ef93bf4ed0903ced8a08b5
-
SHA256
f5a331009d6e46236036c2de3578f2a8414742271ed4b23496859c8b99f5c4de
-
SHA512
3d251c3c633f24b1ddf7d1f5dcf8a2c8093c892c0a1e5577aec8dc01fcf50aebdc0d481c96f65d83dadd7a7873c2e8013761b16728bd5f6e3621977b2ae46bc2
-
SSDEEP
49152:wa/RPnb1b+uL5KTu8l6VP/DOdmGtPY4ldP1nKESY:wa/RTd56M9/DmmGmMP
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral7/files/0x0006000000016df2-25.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 2384 wevtutil.exe 2244 wevtutil.exe 1252 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2644 bcdedit.exe 3060 bcdedit.exe -
pid Process 2316 wbadmin.exe -
pid Process 2656 wbadmin.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe -
Executes dropped EXE 6 IoCs
pid Process 2432 freeworldencrypting.exe 2428 freeworldencrypting.exe 2796 freeworldencrypting.exe 2684 freeworldencrypting.exe 1360 Everything.exe 1520 Everything.exe -
Loads dropped DLL 9 IoCs
pid Process 3008 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2428 freeworldencrypting.exe 2796 freeworldencrypting.exe 2684 freeworldencrypting.exe 2432 freeworldencrypting.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\freeworldencrypting.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\freeworldencrypting = "\"C:\\Users\\Admin\\AppData\\Local\\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\\freeworldencrypting.exe\" " freeworldencrypting.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\N: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1112 powercfg.exe 1540 powercfg.exe 1964 powercfg.exe 2004 powercfg.exe 496 powercfg.exe 2996 powercfg.exe 3036 powercfg.exe 1600 powercfg.exe 1664 powercfg.exe 2672 powercfg.exe 872 powercfg.exe 2304 powercfg.exe 1068 powercfg.exe 2980 powercfg.exe 2624 powercfg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
pid Process 1888 powershell.exe 1612 powershell.exe 1884 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1812 cmd.exe 2444 PING.EXE -
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\.EncryptedDATA freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EncryptedDATA\ = "mimicfile" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 588 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2444 PING.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 2432 freeworldencrypting.exe 1612 powershell.exe 1884 powershell.exe 1888 powershell.exe 2796 freeworldencrypting.exe 2428 freeworldencrypting.exe 2432 freeworldencrypting.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3008 freeworldencrypting.exe Token: SeSecurityPrivilege 3008 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 3008 freeworldencrypting.exe Token: SeLoadDriverPrivilege 3008 freeworldencrypting.exe Token: SeSystemProfilePrivilege 3008 freeworldencrypting.exe Token: SeSystemtimePrivilege 3008 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 3008 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 3008 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 3008 freeworldencrypting.exe Token: SeBackupPrivilege 3008 freeworldencrypting.exe Token: SeRestorePrivilege 3008 freeworldencrypting.exe Token: SeShutdownPrivilege 3008 freeworldencrypting.exe Token: SeDebugPrivilege 3008 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 3008 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 3008 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 3008 freeworldencrypting.exe Token: SeUndockPrivilege 3008 freeworldencrypting.exe Token: SeManageVolumePrivilege 3008 freeworldencrypting.exe Token: SeImpersonatePrivilege 3008 freeworldencrypting.exe Token: SeCreateGlobalPrivilege 3008 freeworldencrypting.exe Token: 33 3008 freeworldencrypting.exe Token: 34 3008 freeworldencrypting.exe Token: 35 3008 freeworldencrypting.exe Token: SeIncreaseQuotaPrivilege 2432 freeworldencrypting.exe Token: SeSecurityPrivilege 2432 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 2432 freeworldencrypting.exe Token: SeLoadDriverPrivilege 2432 freeworldencrypting.exe Token: SeSystemProfilePrivilege 2432 freeworldencrypting.exe Token: SeSystemtimePrivilege 2432 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 2432 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 2432 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 2432 freeworldencrypting.exe Token: SeBackupPrivilege 2432 freeworldencrypting.exe Token: SeRestorePrivilege 2432 freeworldencrypting.exe Token: SeShutdownPrivilege 2432 freeworldencrypting.exe Token: SeDebugPrivilege 2432 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 2432 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 2432 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 2432 freeworldencrypting.exe Token: SeUndockPrivilege 2432 freeworldencrypting.exe Token: SeManageVolumePrivilege 2432 freeworldencrypting.exe Token: SeImpersonatePrivilege 2432 freeworldencrypting.exe Token: SeCreateGlobalPrivilege 2432 freeworldencrypting.exe Token: 33 2432 freeworldencrypting.exe Token: 34 2432 freeworldencrypting.exe Token: 35 2432 freeworldencrypting.exe Token: SeIncreaseQuotaPrivilege 2796 freeworldencrypting.exe Token: SeSecurityPrivilege 2796 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 2796 freeworldencrypting.exe Token: SeLoadDriverPrivilege 2796 freeworldencrypting.exe Token: SeSystemProfilePrivilege 2796 freeworldencrypting.exe Token: SeSystemtimePrivilege 2796 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 2796 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 2796 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 2796 freeworldencrypting.exe Token: SeBackupPrivilege 2796 freeworldencrypting.exe Token: SeRestorePrivilege 2796 freeworldencrypting.exe Token: SeShutdownPrivilege 2796 freeworldencrypting.exe Token: SeDebugPrivilege 2796 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 2796 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 2796 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 2796 freeworldencrypting.exe Token: SeUndockPrivilege 2796 freeworldencrypting.exe Token: SeManageVolumePrivilege 2796 freeworldencrypting.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1360 Everything.exe 1520 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2432 3008 freeworldencrypting.exe 31 PID 3008 wrote to memory of 2432 3008 freeworldencrypting.exe 31 PID 3008 wrote to memory of 2432 3008 freeworldencrypting.exe 31 PID 3008 wrote to memory of 2432 3008 freeworldencrypting.exe 31 PID 2432 wrote to memory of 2708 2432 freeworldencrypting.exe 32 PID 2432 wrote to memory of 2708 2432 freeworldencrypting.exe 32 PID 2432 wrote to memory of 2708 2432 freeworldencrypting.exe 32 PID 2432 wrote to memory of 2708 2432 freeworldencrypting.exe 32 PID 2432 wrote to memory of 2684 2432 freeworldencrypting.exe 33 PID 2432 wrote to memory of 2684 2432 freeworldencrypting.exe 33 PID 2432 wrote to memory of 2684 2432 freeworldencrypting.exe 33 PID 2432 wrote to memory of 2684 2432 freeworldencrypting.exe 33 PID 2432 wrote to memory of 2428 2432 freeworldencrypting.exe 34 PID 2432 wrote to memory of 2428 2432 freeworldencrypting.exe 34 PID 2432 wrote to memory of 2428 2432 freeworldencrypting.exe 34 PID 2432 wrote to memory of 2428 2432 freeworldencrypting.exe 34 PID 2432 wrote to memory of 2796 2432 freeworldencrypting.exe 35 PID 2432 wrote to memory of 2796 2432 freeworldencrypting.exe 35 PID 2432 wrote to memory of 2796 2432 freeworldencrypting.exe 35 PID 2432 wrote to memory of 2796 2432 freeworldencrypting.exe 35 PID 2432 wrote to memory of 2624 2432 freeworldencrypting.exe 37 PID 2432 wrote to memory of 2624 2432 freeworldencrypting.exe 37 PID 2432 wrote to memory of 2624 2432 freeworldencrypting.exe 37 PID 2432 wrote to memory of 2624 2432 freeworldencrypting.exe 37 PID 2432 wrote to memory of 2672 2432 freeworldencrypting.exe 38 PID 2432 wrote to memory of 2672 2432 freeworldencrypting.exe 38 PID 2432 wrote to memory of 2672 2432 freeworldencrypting.exe 38 PID 2432 wrote to memory of 2672 2432 freeworldencrypting.exe 38 PID 2432 wrote to memory of 2980 2432 freeworldencrypting.exe 39 PID 2432 wrote to memory of 2980 2432 freeworldencrypting.exe 39 PID 2432 wrote to memory of 2980 2432 freeworldencrypting.exe 39 PID 2432 wrote to memory of 2980 2432 freeworldencrypting.exe 39 PID 2432 wrote to memory of 3036 2432 freeworldencrypting.exe 40 PID 2432 wrote to memory of 3036 2432 freeworldencrypting.exe 40 PID 2432 wrote to memory of 3036 2432 freeworldencrypting.exe 40 PID 2432 wrote to memory of 3036 2432 freeworldencrypting.exe 40 PID 2432 wrote to memory of 1964 2432 freeworldencrypting.exe 42 PID 2432 wrote to memory of 1964 2432 freeworldencrypting.exe 42 PID 2432 wrote to memory of 1964 2432 freeworldencrypting.exe 42 PID 2432 wrote to memory of 1964 2432 freeworldencrypting.exe 42 PID 2432 wrote to memory of 2996 2432 freeworldencrypting.exe 44 PID 2432 wrote to memory of 2996 2432 freeworldencrypting.exe 44 PID 2432 wrote to memory of 2996 2432 freeworldencrypting.exe 44 PID 2432 wrote to memory of 2996 2432 freeworldencrypting.exe 44 PID 2432 wrote to memory of 1664 2432 freeworldencrypting.exe 45 PID 2432 wrote to memory of 1664 2432 freeworldencrypting.exe 45 PID 2432 wrote to memory of 1664 2432 freeworldencrypting.exe 45 PID 2432 wrote to memory of 1664 2432 freeworldencrypting.exe 45 PID 2432 wrote to memory of 1540 2432 freeworldencrypting.exe 46 PID 2432 wrote to memory of 1540 2432 freeworldencrypting.exe 46 PID 2432 wrote to memory of 1540 2432 freeworldencrypting.exe 46 PID 2432 wrote to memory of 1540 2432 freeworldencrypting.exe 46 PID 2432 wrote to memory of 1112 2432 freeworldencrypting.exe 47 PID 2432 wrote to memory of 1112 2432 freeworldencrypting.exe 47 PID 2432 wrote to memory of 1112 2432 freeworldencrypting.exe 47 PID 2432 wrote to memory of 1112 2432 freeworldencrypting.exe 47 PID 2432 wrote to memory of 496 2432 freeworldencrypting.exe 48 PID 2432 wrote to memory of 496 2432 freeworldencrypting.exe 48 PID 2432 wrote to memory of 496 2432 freeworldencrypting.exe 48 PID 2432 wrote to memory of 496 2432 freeworldencrypting.exe 48 PID 2432 wrote to memory of 1068 2432 freeworldencrypting.exe 50 PID 2432 wrote to memory of 1068 2432 freeworldencrypting.exe 50 PID 2432 wrote to memory of 1068 2432 freeworldencrypting.exe 50 PID 2432 wrote to memory of 1068 2432 freeworldencrypting.exe 50 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Sisteminizdeki bir gᅢᄐvenlik aᅢ댜먀゚ᅣᄆnᅣᄆ kullanarak sisteminizi ᅤ゚ifreledim.\nBilgilerinizi istiyorsanᅣᄆz bize ᅢᄊdeme yapmalᅣᄆsᅣᄆnᅣᄆz.\nSisteminizde kullandᅣ먀゚ᅣᄆm fidye yazᅣᄆlᅣᄆmᅣᄆ projesi tamamen ᅢᄊzel bir projedir. Kᅣᄆrᅣᄆlamaz. ᅢ대ᄊzᅢᄐlemez.\nSize yardᅣᄆmcᅣᄆ olabileceᅣ゚ini sᅢᄊyleyen kiᅤ゚iler sᅣᄆklᅣᄆkla bize gelerek sizin adᅣᄆnᅣᄆza yardᅣᄆm talebinde bulunuyorlar.\nBu durumda normalde ᅢᄊdediᅣ゚inizden daha fazla ᅢᄊdemek zorunda kalacaksᅣᄆnᅣᄆz. Doᅣ゚rudan bizimle iletiᅤ゚ime geᅢᄃmeniz durumunda ᅢᄊdeyeceᅣ゚iniz ᅢᄐcret daha dᅢ턔゚ᅢᄐk olacaktᅣᄆr.\nBize gᅢᄐvenmiyor olabilirsiniz. Ama size yardᅣᄆmcᅣᄆ olmak iᅢᄃin elimizden geleni yapᅣᄆyoruz.\n48 saat iᅢᄃerisinde verilerini aᅢ댜ᄆp sizi yardᅣᄆm ettiᅣ゚imiz bir firmaya yᅢᄊnlendirebiliriz.\nDᅢᄐnyanᅣᄆn her yerinde referanslarᅣᄆmᅣᄆzᅣᄆn olduᅣ゚unu bilmenizi isteriz.\nᅤ゙ifrelenmiᅤ゚ verileri aᅢᄃacaᅣ゚ᅣᄆz. Bu bizim iᅤ゚imiz. Para alᅣᄆyoruz ve yardᅣᄆm ediyoruz. Gᅢᄐvenlik aᅢ댜ᄆklarᅣᄆnᅣᄆzᅣᄆ kapatᅣᄆyoruz. Gᅢᄐvenliᅣ゚inizi saᅣ゚lᅣᄆyoruz ve tavsiyelerde bulunuyoruz.\nBizden satᅣᄆn alacaᅣ゚ᅣᄆnᅣᄆz ᅤ゚ey sadece verileriniz deᅣ゚ildir. aynᅣᄆ zamanda gᅢᄐvenliᅣ゚iniz\nAmacᅣᄆmᅣᄆz hacklenen sistemleri size geri dᅢᄊndᅢᄐrmek.\nAncak hizmetlerimizin karᅤ゚ᅣᄆlᅣ먀゚ᅣᄆnᅣᄆ almak istiyoruz.\nSizden istediᅣ゚imiz en ᅢᄊnemli ᅤ゚ey. Hᅣᄆzlᅣᄆ olmalᅣᄆsᅣᄆn. ᅣᄚletiᅤ゚im kurarken hᅣᄆzlᅣᄆ tepki verin ve durumu hᅣᄆzlᅣᄆ bir ᅤ゚ekilde ᅢ대ᄊzᅢᄐn. Zaman kaybetmek istemiyoruz.\nᅤ゙ifrelenmiᅤ゚ verileri aᅢᄃabildiᅣ゚imizi size kanᅣᄆtlayabiliriz.\nSizin iᅢᄃin ᅢᄊnemli olmayan .png, jpg, avi, pdf dosya uzantᅣᄆlarᅣᄆna sahip istediᅣ゚iniz ᅢᄊrnek dosyayᅣᄆ gᅢᄊnderebilirsiniz. Dosyayᅣᄆ ᅢᄃalᅣ먜゚ᅣᄆr durumda size geri gᅢᄊndereceᅣ゚iz. \nDosya limitimiz 3'tᅢᄐr. Daha fazlasᅣᄆnᅣᄆ sizin iᅢᄃin ᅢᄐcretsiz aᅢᄃamayᅣᄆz.\nVeritabanᅣᄆ dosyalarᅣᄆnᅣᄆzᅣᄆ bize gᅢᄊnderebilirsiniz. Veritabanᅣᄆ dosyanᅣᄆzᅣᄆ ᅢᄃalᅣ먜゚tᅣᄆrdᅣᄆktan sonra size istediᅣ゚iniz tablonun ekran gᅢᄊrᅢᄐntᅢᄐsᅢᄐnᅢᄐ gᅢᄊnderebiliriz.\n\nE-posta adresi: [email protected]\n\nBu Anahtarᅣᄆ Bize Gᅢᄊndereceksiniz: yltAiCdUX9ecl0T6bZvP0MYU7-MfiX-rFT6oZNn1kFU*EncryptedDATA" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = " " freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\samples\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\Temp\samples\freeworldencrypting.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"2⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e watch -pid 2432 -!3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e ul13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e ul23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -H off3⤵
- Power Settings
PID:2624
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:2672
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2980
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:3036
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:1964
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2996
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:1664
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:1540
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:1112
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:496
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:1068
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2004
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:2304
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
PID:1600
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb613⤵
- Power Settings
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe" -startup3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2644
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3060
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2316
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2656
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe" -startup3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:588
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security3⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
PID:1252
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system3⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application3⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" & cd /d "C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88" & Del /f /q /a *.exe *.ini *.dll *.bat *.db"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1812 -
C:\Windows\SysWOW64\PING.EXEping 127.2 -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2444
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"4⤵
- System Location Discovery: System Language Discovery
PID:712
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2288
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2732
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1780
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1088
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3Clear Windows Event Logs
1File Deletion
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56e4a12d35893ed1115749b48393b5200
SHA1fbd8f6e92ecaf2e50dc3d0f53d21815059b1b6ba
SHA2560b3f8ab04d1c18025a671424df02b55805ae7fbc7eeefd7bdc5801264d287aa4
SHA51240c0fde7ca92b50c7664abf6d959592e7a26a8054b0f0c3d6273ffc63e1dc64a6e8c2c3af6791aa365a7ca64dd6905bd9d6670b6f68c33e59cd4adf608e6db38
-
Filesize
27.1MB
MD529bbcfc4cf4da12cd403deeb806691cf
SHA14414c6fb81b3f3501934fe2c81db563b5dee5334
SHA2569f323e6284dec51c09ffe8d2ade136b78c30e00a06783d4ca296e2fec3a49fab
SHA512971265f344fd6ecefbbdc82fee8a22d7debf84c3132ac2a52bc542e96dfe2b70536f0c187a38bdff827a65fdb11e09a85136938744fdc721f9e0085e5f375487
-
Filesize
9.2MB
MD53d0367a2b457993f0b9b26bc3e56e778
SHA18979a46b218d6be63bbbf18b3bbe831dcbf07282
SHA256e61f612cff5c5072c9e29f1e7889ce5dfafe48cb80a643152b52fa7fc873824c
SHA512aed6a394d9c216710120b35c850cfe7ae4378ba699c4c2a5066c32b6fd57a41c19e6a9a60e065d6e2b943e7118bbb3c5ba805cbce40382d1862772adf40ec0a2
-
Filesize
3KB
MD53f0813615deaad7b64e2e31bb5cd1aa2
SHA10aa7d06ccf31b480eb4ed00708b2ea429a8efe57
SHA256af6225e4b8d9987a20a07cc26125a9e6151d5ef3b6a1dccd6e5f395f1cd23861
SHA512bbe6c451bb64a6c4a1f30235c0dc982601b307c6f706f9d16507a2f8a8a321c24c79b9d649f09b5da9e3ac6eaa318ff92e17305d8916f7806ace11a2667e1fa9
-
Filesize
9.2MB
MD5fee5aeb0ee8aea472e96b8b59c6a51b7
SHA168aaa38969eea39920c4a8a245ee74b0bc30ee01
SHA256e0f4ce81510ccd1d5e4ea93d984ea301563404415ffdd08bb6c025b885be206b
SHA512aee54283235929cc2333ba678633ec6b584661ea470d2fe6821bf9d3ec4fd9a686a880f665fb4b0b409b890f24764a7b205333e2d3b923cc4f99b361a8f0b582
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
20KB
MD52a93c70f9a6f3d90a48422971556458e
SHA1eef4b64923287bffff0bf5887ab76928603346af
SHA2563825a59c0fea44cbd8dd9f08156fe003eb5daee61d1d6c6fab2ee49040634fa8
SHA5127f1badc109c23a998d376dc46defa17f3e5c001b1ae99ea35636d80056e93dcd906b9c416e2349ebf9062874994946944c70a4ed421e9ef0179b98df7c5cc17e
-
Filesize
20KB
MD5472ee5a9b076aede5574eb747412cc8a
SHA1cb1541d2aad53309e82c44cb99c220e02bc219d2
SHA2567854d3d94db23ed7e453f30e4a5e302bea209b2ebb60b5554dbc78ac1caefe4d
SHA51222407550d8c602fc2f6c70a671ec948770f8df494e2613d66efb8625f75adaea8047d35931e97c6a841b786fca9b2922e805799f149b58f34c881e5605b8f86a
-
Filesize
3KB
MD5fd4589304a588a420da7dd0b56784130
SHA13a8267d2459cef2d9ea4d782eef8ec2876fbecaa
SHA256a3041b2a3f207ad2e467085b36ca51eae3a5d60f899251c9d5c4c9b248c60482
SHA51228aa740ab94e8643af5339e6cbc4af38cf68c58f76b163e4b2fc0875802889abb2689507e4bd15eab62c095c5d852ab54c200324179c0f804e8158c8c71c1a67
-
Filesize
3KB
MD5392c3b27af6755b705128fc738d77348
SHA11c23542f187fcff5aca60532fe6d30517e84c57d
SHA256ea920d619c25a834bdf2fe7c82d36be2150a530ec1f5215cda741b23d29823cb
SHA512901fe1a3ca757b2a883c49776ecda903b0fa521d584466416bcaa97ea83c2319692d399212cf9bf3c794df2e51ea8c452b120d944e6af139022097a800e3b072
-
Filesize
2.2MB
MD5696682f1a9d5efcd5cfe72adf2649efb
SHA163ac46cd91decfe85d57c4d3fba0cbb7124edb83
SHA256bfc7bd83edc3aacf0130900b63f2f2ee2ffeb961cf749719f09b68660381a2f0
SHA512d2b33184d1bfe2a050bf0050af24a5c28408b856dd73214d058ca23ddbf75b2edd44ed677d22c548768df897152c7cca5359ad8526e0a60c811221cb156c0529
-
Filesize
2.0MB
MD522c109d5539b862d629daa01673352cd
SHA12eed43bf7f139243d9ef93bf4ed0903ced8a08b5
SHA256f5a331009d6e46236036c2de3578f2a8414742271ed4b23496859c8b99f5c4de
SHA5123d251c3c633f24b1ddf7d1f5dcf8a2c8093c892c0a1e5577aec8dc01fcf50aebdc0d481c96f65d83dadd7a7873c2e8013761b16728bd5f6e3621977b2ae46bc2
-
Filesize
32B
MD5c241eda7e1143981d8cf780be372d33a
SHA19ed5184329f8f6c41740b69c5f7404ce4294dd35
SHA256b5b4a55f7a189862bcb90aeab4abf005a472598f79914b28d1e5a0cda0441b6f
SHA51219db4988951005449ee72e41646c21b9ffa3a9ab9b6ca8b51a624ffcb668a9456a0747bb5bb7360eeaf85110ede13b263d3e49e0341f0b9a48ed005fff255872
-
Filesize
1KB
MD530797274eff2ec1a2df9e81fa85b0047
SHA1d42a4b1c3d34f0de8003f61fc0a8ce893deee230
SHA256ca9c94e4dcc26ae2f596590fa7297bb2a4b74811ae88f57dadba8c9ffc79bb51
SHA51211a12c1f1048b65653e8cdfa4e96caf594dd18b89e8dcb34965ede7d14124f2296ac3a706b3d0e5ee1131b9cdfbe120e34f7938e12a84a4b2f7272deb62643f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57fccdb7ff6af906575930b830ee72a7e
SHA13fd9fb16a2ebe647918b7caee0c27ec1e39eb17f
SHA2564149ce20243cbdb8c6bb809e4258c930e6d89628f262ee834a440ee5b2a845bb
SHA512292a56d0c62a25d1c2e0fb2f0bca24344a9a26814fc7f4cb1410af184ad3ad0a4d3c3c9592e171bcdeea81c918b674d539201dc971b182702bf63b6078e316af
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62