Overview
overview
10Static
static
1038f792a175...c0.exe
windows7-x64
1038f792a175...c0.exe
windows10-1703-x64
1038f792a175...c0.exe
windows10-2004-x64
1038f792a175...c0.exe
windows11-21h2-x64
103dfaf477d5...a7.exe
windows7-x64
93dfaf477d5...a7.exe
windows10-1703-x64
93dfaf477d5...a7.exe
windows10-2004-x64
93dfaf477d5...a7.exe
windows11-21h2-x64
9801505b222...4e.exe
windows7-x64
9801505b222...4e.exe
windows10-1703-x64
9801505b222...4e.exe
windows10-2004-x64
9801505b222...4e.exe
windows11-21h2-x64
9be7c6e308b...8e.exe
windows7-x64
10be7c6e308b...8e.exe
windows10-1703-x64
10be7c6e308b...8e.exe
windows10-2004-x64
10be7c6e308b...8e.exe
windows11-21h2-x64
10ecfb5c95d0...9d.exe
windows7-x64
10ecfb5c95d0...9d.exe
windows10-1703-x64
10ecfb5c95d0...9d.exe
windows10-2004-x64
10ecfb5c95d0...9d.exe
windows11-21h2-x64
10Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 17:30
Behavioral task
behavioral1
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
38f792a175c366b53407143da8c13ea2f1d3600b00ef8e8f6ec7e0ef79dcb6c0.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
be7c6e308b1d8a20cc46232fc95f6c094717f05cadb0c7a03108d969b561f68e.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win11-20241007-en
General
-
Target
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
-
Size
52KB
-
MD5
ba9210de03de945901f02792f7994871
-
SHA1
20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
-
SHA256
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
-
SHA512
277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
-
SSDEEP
1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_1380491.txt
http://t5vj34iny72dpdu4.onion
https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2232 bcdedit.exe 2636 bcdedit.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2428 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe" ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exedescription ioc process File created C:\Users\Admin\Downloads\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Links\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Downloads\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Libraries\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Recorded TV\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Videos\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Contacts\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Music\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Desktop\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Documents\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Favorites\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Pictures\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Saved Games\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Searches\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Music\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Favorites\Links\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Documents\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Videos\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Music\Sample Music\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Pictures\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Users\Admin\Desktop\desktop.ini ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exedescription ioc process File created C:\Program Files\README_1380491.txt ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe File created C:\Program Files (x86)\README_1380491.txt ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe -
Drops file in Windows directory 1 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exedescription ioc process File created C:\Windows\README_1380491.txt ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2480 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1120 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exepid process 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exevssvc.exedescription pid process Token: SeDebugPrivilege 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe Token: SeBackupPrivilege 2892 vssvc.exe Token: SeRestorePrivilege 2892 vssvc.exe Token: SeAuditPrivilege 2892 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.execmd.execmd.exedescription pid process target process PID 2368 wrote to memory of 1668 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 1668 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 1668 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 2428 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 2428 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 2428 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 2428 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 2368 wrote to memory of 2428 2368 ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe cmd.exe PID 1668 wrote to memory of 2480 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 2480 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 2480 1668 cmd.exe vssadmin.exe PID 2428 wrote to memory of 2380 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 2380 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 2380 2428 cmd.exe PING.EXE PID 1668 wrote to memory of 2232 1668 cmd.exe bcdedit.exe PID 1668 wrote to memory of 2232 1668 cmd.exe bcdedit.exe PID 1668 wrote to memory of 2232 1668 cmd.exe bcdedit.exe PID 1668 wrote to memory of 2636 1668 cmd.exe bcdedit.exe PID 1668 wrote to memory of 2636 1668 cmd.exe bcdedit.exe PID 1668 wrote to memory of 2636 1668 cmd.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2480 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2232 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2636 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\PING.EXEping -n 1 -w 5000 10.10.254.2543⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_1380491.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1120
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58d5b641b3391762dec4dce32506026c7
SHA1e0637fdc22706669c0c527f7002b88f001bbabac
SHA2564b2e43d441ed23f1bb15dfadc51aff09b8ea7c416294642b8dc5593a298bd686
SHA51210599148acf8f0f93cb789c750aeec47846fa3ca897233f8c66b4781bd7761ea7165e1078d2d8fdd05fafdd8ae71d798edf28ffd1f2d4943567eb7f1b05cf0a3
-
Filesize
582KB
MD5e46f85bdfcca5ec364000f2f88c2baa8
SHA18525e2af26e86270bb30e2bbeb9c0df6d521e7cd
SHA256a15cccaf159a125e9e0488d42c1644fed6d29a7e520973f335e461e977a4038b
SHA512b9c3f601d2073ae1de71a1b47f504c07bf55b3a8091da8e3a65abc805178a6efcfd1c8650919f983f99ade0abd76897cb72f01c3f4a4e36504e48748f2ca213a
-
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
Filesize140KB
MD5428efff3b60eeccce32784ea04af985b
SHA11a49e22dfb489bde1465868fc3d28da8afb481ea
SHA2560b9f5561eb0d2946bc980794ce06b2dc09bb7388efd67b7cb74e819ba0734805
SHA51263f34c4f959419a1fb72e63dc7c9762f3881a1794c7e153e2f743d306b259fce16dfaac36ba5cf9382ad367e72e4822b7b932d20465d9dfb746ee53c2682c702
-
Filesize
167B
MD5d1df9bb96b34b2b9cba30dc139a00ef8
SHA144e80d8b875f296f7087eadc0584276fb68fa323
SHA25617bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc
SHA5127029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2
-
Filesize
147B
MD52450c91afcc2d4cc3dea374820bed314
SHA1dd1b61d0aa6d1769018c1d3144de9bb960a64d3c
SHA2564f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df
SHA512b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91
-
Filesize
10KB
MD50f383341d3b9e4a24ae27b830680bbcf
SHA1eccadca878ddac156559769cefcff551fe70fc16
SHA2564dce23601ec1586449fd2e8a380968ab4e97ab22e71bc30089544acfa5913518
SHA5123b073ce7b6ff31fe41286227e2db5e9b7adf1f9490b5e969f4894152650f6580cc899348fb6d88665f11b30c738022de56f6fa660bd73e113e14743e3cc74288
-
Filesize
81KB
MD5582e5f42e471b3ef867f7dae450cb1dd
SHA1f2a4530ad0e1f6d9afe0ca377191f8b9ca4e93a6
SHA2569361f676f7786cb46aa217858166442611b8e5ce3e3119026b7eff22a037aa87
SHA5127eaf5cee54791ca532fe6607ee31e3d9a91efc78042886d90253dfab69851a398964ab6059d6dc3418ba759df947cfd1f677daf46a7d7c07171265270e2077c0