Malware Analysis Report

2025-01-03 09:01

Sample ID 240928-paf56axfrf
Target fc43d639ba6ccea886c31aeb8fcac9a0_JaffaCakes118
SHA256 de2fb10156d4852276992216e053a0c57fccf1e79051010ebf8299a4e9e253fb
Tags
gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de2fb10156d4852276992216e053a0c57fccf1e79051010ebf8299a4e9e253fb

Threat Level: Known bad

The file fc43d639ba6ccea886c31aeb8fcac9a0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor credential_access defense_evasion discovery execution impact ransomware spyware stealer

Gandcrab

Renames multiple (318) files with added filename extension

Renames multiple (274) files with added filename extension

Deletes shadow copies

Credentials from Password Stores: Windows Credential Manager

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 12:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 12:07

Reported

2024-09-28 12:09

Platform

win7-20240729-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (274) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\SHRVD-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c123b1a9c123b64b114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ConvertFromDismount.easmx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\MeasureRegister.mht C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\OutLock.wma C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\RemoveExport.7z C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SendConvert.avi C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\LimitRegister.wm C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SelectRemove.odt C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SetCopy.M2T C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\StopGet.pptx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\SHRVD-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\SHRVD-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\FormatMeasure.potx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\MergeSplit.rar C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\UndoMount.snd C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\c123b1a9c123b64b114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\c123b1a9c123b64b114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files\SHRVD-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files\c123b1a9c123b64b114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\BackupAssert.mov C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\UseInstall.avi C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\ImportHide.m4v C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SetSync.zip C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\UpdateAdd.vbe C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c123b1a9c123b64b114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\JoinConnect.ttc C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\TestUse.pub C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SHRVD-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\ClearDebug.dotx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\UnregisterDisable.ttf C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\SHRVD-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c123b1a9c123b64b114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\sample.exe

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.billerimpex.com udp
US 8.8.8.8:53 www.macartegrise.eu udp
US 172.67.145.98:80 www.macartegrise.eu tcp
US 172.67.145.98:443 www.macartegrise.eu tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.poketeg.com udp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 perovaphoto.ru udp
US 8.8.8.8:53 asl-company.ru udp
RU 87.236.16.243:80 asl-company.ru tcp
RU 87.236.16.243:80 asl-company.ru tcp
US 8.8.8.8:53 www.fabbfoundation.gm udp
US 66.235.200.146:80 www.fabbfoundation.gm tcp
US 66.235.200.146:443 www.fabbfoundation.gm tcp
US 8.8.8.8:53 www.perfectfunnelblueprint.com udp
US 8.8.8.8:53 www.wash-wear.com udp
US 104.21.40.198:80 www.wash-wear.com tcp
US 104.21.40.198:80 www.wash-wear.com tcp
US 8.8.8.8:53 pp-panda74.ru udp
US 8.8.8.8:53 cevent.net udp
US 107.178.223.183:80 cevent.net tcp

Files

C:\MSOCache\SHRVD-DECRYPT.html

MD5 dfdc916afd02ee38a78b390f8b5b5513
SHA1 b389e3aff7c03d4ddeedcb9814c688a9c803efa8
SHA256 6be9686597b19b237fb38ac362e3958f50989923f92644c3b982781b6bf3d9e2
SHA512 5ee99225e5f98d82ffbf8a5a96836ffb7f06c74993e6d0aff7b3cf73dc70af8f3be34b4dbe65f2c2ec7a9563b511d5910628bdc60a189a12cd34b23bd0869622

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 12:07

Reported

2024-09-28 12:09

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (318) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\VWZYT-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ee5e8404ee5e83e6114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ConnectUndo.potx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\GroupSplit.midi C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\InvokeInstall.aifc C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\OpenLock.eps C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\ReceiveSelect.mpe C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\RequestBackup.mht C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files\VWZYT-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\CompleteSuspend.MTS C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SendComplete.dotm C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\InstallDisable.vstx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\LimitStart.doc C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SearchExit.mp3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\UnpublishRevoke.DVR-MS C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\ee5e8404ee5e83e6114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\ExpandRevoke.wmv C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\InitializeSplit.tiff C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\StepRedo.xps C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files\ee5e8404ee5e83e6114.lock C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SelectBlock.vstx C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\StartSend.search-ms C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SyncExport.rar C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\UnprotectJoin.clr C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File created C:\Program Files (x86)\VWZYT-DECRYPT.html C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SearchUnprotect.gif C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Program Files\SplitUninstall.m1v C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4192 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4192 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\sample.exe

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.billerimpex.com udp
US 8.8.8.8:53 www.macartegrise.eu udp
US 172.67.145.98:80 www.macartegrise.eu tcp
US 172.67.145.98:443 www.macartegrise.eu tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 98.145.67.172.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.poketeg.com udp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 104.155.138.21:80 www.poketeg.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 perovaphoto.ru udp
US 8.8.8.8:53 asl-company.ru udp
RU 87.236.16.243:80 asl-company.ru tcp
RU 87.236.16.243:80 asl-company.ru tcp
US 8.8.8.8:53 www.fabbfoundation.gm udp
US 66.235.200.146:80 www.fabbfoundation.gm tcp
US 8.8.8.8:53 243.16.236.87.in-addr.arpa udp
US 8.8.8.8:53 146.200.235.66.in-addr.arpa udp
US 66.235.200.146:443 www.fabbfoundation.gm tcp
US 8.8.8.8:53 www.perfectfunnelblueprint.com udp
US 8.8.8.8:53 www.wash-wear.com udp
US 172.67.188.72:80 www.wash-wear.com tcp
US 8.8.8.8:53 72.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 172.67.188.72:80 www.wash-wear.com tcp
US 8.8.8.8:53 pp-panda74.ru udp
US 8.8.8.8:53 cevent.net udp
US 107.178.223.183:80 cevent.net tcp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 107.178.223.183:80 cevent.net tcp

Files

C:\$Recycle.Bin\VWZYT-DECRYPT.html

MD5 bf07914221e2b090ccd0adc6428e94b9
SHA1 156cc124836d4b175abb4bfbaa945298fde7ab48
SHA256 5259d525b1c129e5fc3e0ab312b4373d863669da88c222218a32823f6085350a
SHA512 7b62bb929e02b569553ba8d3db5d6152e42af377e98cb2018e9a91f231bc3473418955d327e202f7e4b4e48534ade0bcd6de9ba4725cdc3b63a9b495bf8f3c79