Malware Analysis Report

2024-10-23 19:52

Sample ID 241001-d4mn9ayclq
Target 2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry
SHA256 fb883f97d3c70a079865c0e7e1f5c97da399b06eaaad65eaa19c7ec90ec5c09f
Tags
chaos defense_evasion evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb883f97d3c70a079865c0e7e1f5c97da399b06eaaad65eaa19c7ec90ec5c09f

Threat Level: Known bad

The file 2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion evasion execution impact ransomware spyware stealer

Chaos

Chaos family

Chaos Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Drops startup file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 03:33

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 03:33

Reported

2024-10-01 03:36

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zambaramba.url C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe C:\Users\Admin\AppData\Roaming\zambaramba.exe
PID 2932 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe C:\Users\Admin\AppData\Roaming\zambaramba.exe
PID 2932 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe C:\Users\Admin\AppData\Roaming\zambaramba.exe
PID 2744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2556 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2556 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2556 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2556 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2556 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2744 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 772 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 772 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 772 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 772 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 772 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 772 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2744 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 3052 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3052 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3052 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2744 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\system32\NOTEPAD.EXE
PID 2744 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\system32\NOTEPAD.EXE
PID 2744 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe"

C:\Users\Admin\AppData\Roaming\zambaramba.exe

"C:\Users\Admin\AppData\Roaming\zambaramba.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/2932-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

memory/2932-1-0x00000000000C0000-0x00000000000CC000-memory.dmp

memory/2744-7-0x00000000012D0000-0x00000000012DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\zambaramba.exe

MD5 2a163665e2c9b007dddaa37bd4f5eb11
SHA1 23e2bc9ff87681a093465389ab3b4e7dba6df7b5
SHA256 fb883f97d3c70a079865c0e7e1f5c97da399b06eaaad65eaa19c7ec90ec5c09f
SHA512 1612a909c5a7544e78270b800022f76e9325a713f77a676c51e5647c976dab3219d3bd1322fb18974479aa5294a0dd50f85644a781f92a06a0b6e09c6a5554c3

C:\Users\Admin\Desktop\read_it.txt

MD5 6d081874126362534d35057a296d2287
SHA1 31208b98e212c86423e9f42b911a10073b695c38
SHA256 d7f27743b24a4e099216d76828ceb277d9e2e6dd2e2a958de22b3e277a01e482
SHA512 0b6abda02243dd63a69cba826396432fd6e9d916a06ebb9038133fa18ea112cb7caafe0188f4cb1aef2232f136b68cdbdd6fb2c726955c10ae3b3ba995d3a932

memory/2744-27-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

memory/2744-71-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

memory/2744-73-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 03:33

Reported

2024-10-01 03:36

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zambaramba.url C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe C:\Users\Admin\AppData\Roaming\zambaramba.exe
PID 1308 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe C:\Users\Admin\AppData\Roaming\zambaramba.exe
PID 4996 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 4996 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2784 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4996 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 4996 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 3104 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3104 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3104 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3104 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4996 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 4996 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\System32\cmd.exe
PID 3448 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3448 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4996 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\system32\NOTEPAD.EXE
PID 4996 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\zambaramba.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_2a163665e2c9b007dddaa37bd4f5eb11_chaos_destroyer_wannacry.exe"

C:\Users\Admin\AppData\Roaming\zambaramba.exe

"C:\Users\Admin\AppData\Roaming\zambaramba.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1308-0-0x00007FF81C163000-0x00007FF81C165000-memory.dmp

memory/1308-1-0x0000000000150000-0x000000000015C000-memory.dmp

C:\Users\Admin\AppData\Roaming\zambaramba.exe

MD5 2a163665e2c9b007dddaa37bd4f5eb11
SHA1 23e2bc9ff87681a093465389ab3b4e7dba6df7b5
SHA256 fb883f97d3c70a079865c0e7e1f5c97da399b06eaaad65eaa19c7ec90ec5c09f
SHA512 1612a909c5a7544e78270b800022f76e9325a713f77a676c51e5647c976dab3219d3bd1322fb18974479aa5294a0dd50f85644a781f92a06a0b6e09c6a5554c3

memory/4996-14-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 6d081874126362534d35057a296d2287
SHA1 31208b98e212c86423e9f42b911a10073b695c38
SHA256 d7f27743b24a4e099216d76828ceb277d9e2e6dd2e2a958de22b3e277a01e482
SHA512 0b6abda02243dd63a69cba826396432fd6e9d916a06ebb9038133fa18ea112cb7caafe0188f4cb1aef2232f136b68cdbdd6fb2c726955c10ae3b3ba995d3a932

memory/4996-69-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

memory/4996-71-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp