Analysis Overview
SHA256
de2fb10156d4852276992216e053a0c57fccf1e79051010ebf8299a4e9e253fb
Threat Level: Known bad
The file fc43d639ba6ccea886c31aeb8fcac9a0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gandcrab
Renames multiple (318) files with added filename extension
Renames multiple (274) files with added filename extension
Deletes shadow copies
Credentials from Password Stores: Windows Credential Manager
Checks computer location settings
Reads user/profile data of web browsers
Drops startup file
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-28 12:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-28 12:07
Reported
2024-09-28 12:09
Platform
win7-20240729-en
Max time kernel
133s
Max time network
142s
Command Line
Signatures
Gandcrab
Deletes shadow copies
Renames multiple (274) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\SHRVD-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c123b1a9c123b64b114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\ConvertFromDismount.easmx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\MeasureRegister.mht | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\OutLock.wma | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\RemoveExport.7z | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SendConvert.avi | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\LimitRegister.wm | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SelectRemove.odt | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SetCopy.M2T | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\StopGet.pptx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\SHRVD-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\SHRVD-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\FormatMeasure.potx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\MergeSplit.rar | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\UndoMount.snd | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\c123b1a9c123b64b114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\c123b1a9c123b64b114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files\SHRVD-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files\c123b1a9c123b64b114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\BackupAssert.mov | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\UseInstall.avi | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\ImportHide.m4v | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SetSync.zip | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\UpdateAdd.vbe | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c123b1a9c123b64b114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\JoinConnect.ttc | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\TestUse.pub | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SHRVD-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\ClearDebug.dotx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\UnregisterDisable.ttf | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\SHRVD-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c123b1a9c123b64b114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
| PID 2652 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
| PID 2652 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
| PID 2652 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.billerimpex.com | udp |
| US | 8.8.8.8:53 | www.macartegrise.eu | udp |
| US | 172.67.145.98:80 | www.macartegrise.eu | tcp |
| US | 172.67.145.98:443 | www.macartegrise.eu | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.poketeg.com | udp |
| US | 104.155.138.21:80 | www.poketeg.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| US | 104.155.138.21:80 | www.poketeg.com | tcp |
| US | 8.8.8.8:53 | perovaphoto.ru | udp |
| US | 8.8.8.8:53 | asl-company.ru | udp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| US | 8.8.8.8:53 | www.fabbfoundation.gm | udp |
| US | 66.235.200.146:80 | www.fabbfoundation.gm | tcp |
| US | 66.235.200.146:443 | www.fabbfoundation.gm | tcp |
| US | 8.8.8.8:53 | www.perfectfunnelblueprint.com | udp |
| US | 8.8.8.8:53 | www.wash-wear.com | udp |
| US | 104.21.40.198:80 | www.wash-wear.com | tcp |
| US | 104.21.40.198:80 | www.wash-wear.com | tcp |
| US | 8.8.8.8:53 | pp-panda74.ru | udp |
| US | 8.8.8.8:53 | cevent.net | udp |
| US | 107.178.223.183:80 | cevent.net | tcp |
Files
C:\MSOCache\SHRVD-DECRYPT.html
| MD5 | dfdc916afd02ee38a78b390f8b5b5513 |
| SHA1 | b389e3aff7c03d4ddeedcb9814c688a9c803efa8 |
| SHA256 | 6be9686597b19b237fb38ac362e3958f50989923f92644c3b982781b6bf3d9e2 |
| SHA512 | 5ee99225e5f98d82ffbf8a5a96836ffb7f06c74993e6d0aff7b3cf73dc70af8f3be34b4dbe65f2c2ec7a9563b511d5910628bdc60a189a12cd34b23bd0869622 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-28 12:07
Reported
2024-09-28 12:09
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Gandcrab
Deletes shadow copies
Renames multiple (318) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\VWZYT-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ee5e8404ee5e83e6114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\ConnectUndo.potx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\GroupSplit.midi | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\InvokeInstall.aifc | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\OpenLock.eps | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\ReceiveSelect.mpe | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\RequestBackup.mht | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files\VWZYT-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\CompleteSuspend.MTS | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SendComplete.dotm | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\InstallDisable.vstx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\LimitStart.doc | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SearchExit.mp3 | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\UnpublishRevoke.DVR-MS | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\ee5e8404ee5e83e6114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\ExpandRevoke.wmv | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\InitializeSplit.tiff | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\StepRedo.xps | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files\ee5e8404ee5e83e6114.lock | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SelectBlock.vstx | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\StartSend.search-ms | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SyncExport.rar | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\UnprotectJoin.clr | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File created | C:\Program Files (x86)\VWZYT-DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SearchUnprotect.gif | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| File opened for modification | C:\Program Files\SplitUninstall.m1v | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
| PID 4192 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
| PID 4192 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | C:\Windows\SysWOW64\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.billerimpex.com | udp |
| US | 8.8.8.8:53 | www.macartegrise.eu | udp |
| US | 172.67.145.98:80 | www.macartegrise.eu | tcp |
| US | 172.67.145.98:443 | www.macartegrise.eu | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 98.145.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.poketeg.com | udp |
| US | 104.155.138.21:80 | www.poketeg.com | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 104.155.138.21:80 | www.poketeg.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | perovaphoto.ru | udp |
| US | 8.8.8.8:53 | asl-company.ru | udp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| US | 8.8.8.8:53 | www.fabbfoundation.gm | udp |
| US | 66.235.200.146:80 | www.fabbfoundation.gm | tcp |
| US | 8.8.8.8:53 | 243.16.236.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.200.235.66.in-addr.arpa | udp |
| US | 66.235.200.146:443 | www.fabbfoundation.gm | tcp |
| US | 8.8.8.8:53 | www.perfectfunnelblueprint.com | udp |
| US | 8.8.8.8:53 | www.wash-wear.com | udp |
| US | 172.67.188.72:80 | www.wash-wear.com | tcp |
| US | 8.8.8.8:53 | 72.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 172.67.188.72:80 | www.wash-wear.com | tcp |
| US | 8.8.8.8:53 | pp-panda74.ru | udp |
| US | 8.8.8.8:53 | cevent.net | udp |
| US | 107.178.223.183:80 | cevent.net | tcp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 107.178.223.183:80 | cevent.net | tcp |
Files
C:\$Recycle.Bin\VWZYT-DECRYPT.html
| MD5 | bf07914221e2b090ccd0adc6428e94b9 |
| SHA1 | 156cc124836d4b175abb4bfbaa945298fde7ab48 |
| SHA256 | 5259d525b1c129e5fc3e0ab312b4373d863669da88c222218a32823f6085350a |
| SHA512 | 7b62bb929e02b569553ba8d3db5d6152e42af377e98cb2018e9a91f231bc3473418955d327e202f7e4b4e48534ade0bcd6de9ba4725cdc3b63a9b495bf8f3c79 |