Analysis
-
max time kernel
87s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00432.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00432.7z
-
Size
31.2MB
-
MD5
be484eefb48a6c7ea47da9807a26f1d9
-
SHA1
92e843045bc7f796706a5c7c8af65bcc919e01da
-
SHA256
ba1d49f1423ab5fb6918cb61bf61b5acc50bd1ad99838a3dbba59af99e629e77
-
SHA512
2ed6f29decd1916963048e57f99c1d5b340a0961b9edcbeab1d6f01fa527a853cac797f457ba92363003ee8392d829a4d5f345b83bba426223250c4eea5547a5
-
SSDEEP
786432:6513OAEXjyZZp2jHShJxZs81quWVahRSItfZUjWkO3:q3OAGjyZb2jH2JxZ7dsERSEfZ9z
Malware Config
Extracted
crimsonrat
167.86.89.53
Extracted
urelas
112.175.88.207
112.175.88.208
Extracted
C:\Users\Admin\Desktop\readme.txt
https://ranzylock.hk/2X258GEF
http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/2X258GEF
Extracted
C:\Users\Admin\3D Objects\LOCKY-README.txt
http://pylockyrkumqih5l.onion/index.php
http://pylockyrkumqih5l.onion/index.php에서
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db
http://pylockyrkumqih5l.onion/index.php
http://pylockyrkumqih5l.onion/index.php에서
Extracted
C:\Users\Admin\Desktop\LegionReadMe.txt
131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
http://mail2tor2zyjdctd.onion/
Signatures
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Detected LegionLocker ransomware 1 IoCs
Sample contains strings associated with the LegionLocker family.
resource yara_rule behavioral1/files/0x0007000000023c99-271.dat family_legionlocker -
LegionLocker
Ransomware family active in 2021.
-
Legionlocker family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Urelas family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe -
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (442) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Disables use of System Restore points 1 TTPs
-
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe -
Executes dropped EXE 30 IoCs
pid Process 1864 HEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exe 1652 HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 2256 HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe 1920 Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe 2052 Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe 4092 Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe 4592 Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe 1256 Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe 5020 Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe 2444 Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe 2200 Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 1848 trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 1088 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 1720 trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2460 Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe 5652 shell.exe 3804 shell.exe 2200 VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe 5332 VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe 5568 VHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exe 5612 xk.exe 1720 IExplorer.exe 5964 WINLOGON.EXE 316 CSRSS.EXE 2992 SERVICES.EXE 6136 LSASS.EXE 5304 SMSS.EXE -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe -
Loads dropped DLL 48 IoCs
pid Process 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 2328 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5196 icacls.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000023c99-271.dat themida behavioral1/memory/5020-277-0x0000000000D60000-0x0000000001580000-memory.dmp themida behavioral1/memory/5020-275-0x0000000000D60000-0x0000000001580000-memory.dmp themida behavioral1/memory/5020-3051-0x0000000000D60000-0x0000000001580000-memory.dmp themida -
resource yara_rule behavioral1/files/0x0007000000023c9a-279.dat vmprotect -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cbf50b2d-acf6-4ef9-a42d-eddcebc463d3\\HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe\" --AutoStart" HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iconrdb = "C:\\Users\\Admin\\AppData\\Roaming\\iconrdb.exe" Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File created F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe File opened for modification C:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File created C:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened for modification F:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe File created C:\Users\Admin\3D Objects\desktop.ini Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe File created F:\desktop.ini Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\F: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\U: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 api.2ip.ua 59 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File opened for modification C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File created C:\Windows\SysWOW64\shell.exe Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File created C:\Windows\SysWOW64\Mig2.scr Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5020 Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe 2200 VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe File created C:\Windows\xk.exe Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023c9c-300.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3376 1920 WerFault.exe 112 3952 2256 WerFault.exe 109 3988 2256 WerFault.exe 109 3340 2256 WerFault.exe 109 4328 2444 WerFault.exe 131 3536 2256 WerFault.exe 109 2812 2256 WerFault.exe 109 2028 2256 WerFault.exe 109 4360 2256 WerFault.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 3368 powershell.exe 3368 powershell.exe 3368 powershell.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2748 taskmgr.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5020 Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 848 7zFM.exe Token: 35 848 7zFM.exe Token: SeSecurityPrivilege 848 7zFM.exe Token: SeDebugPrivilege 4856 taskmgr.exe Token: SeSystemProfilePrivilege 4856 taskmgr.exe Token: SeCreateGlobalPrivilege 4856 taskmgr.exe Token: SeDebugPrivilege 2748 taskmgr.exe Token: SeSystemProfilePrivilege 2748 taskmgr.exe Token: SeCreateGlobalPrivilege 2748 taskmgr.exe Token: 33 4856 taskmgr.exe Token: SeIncBasePriorityPrivilege 4856 taskmgr.exe Token: SeDebugPrivilege 3368 powershell.exe Token: SeBackupPrivilege 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Token: SeRestorePrivilege 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Token: SeTcbPrivilege 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Token: SeImpersonatePrivilege 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Token: SeDebugPrivilege 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Token: SeShutdownPrivilege 400 HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe Token: SeDebugPrivilege 1652 HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe Token: SeIncreaseQuotaPrivilege 3512 wmic.exe Token: SeSecurityPrivilege 3512 wmic.exe Token: SeTakeOwnershipPrivilege 3512 wmic.exe Token: SeLoadDriverPrivilege 3512 wmic.exe Token: SeSystemProfilePrivilege 3512 wmic.exe Token: SeSystemtimePrivilege 3512 wmic.exe Token: SeProfSingleProcessPrivilege 3512 wmic.exe Token: SeIncBasePriorityPrivilege 3512 wmic.exe Token: SeCreatePagefilePrivilege 3512 wmic.exe Token: SeBackupPrivilege 3512 wmic.exe Token: SeRestorePrivilege 3512 wmic.exe Token: SeShutdownPrivilege 3512 wmic.exe Token: SeDebugPrivilege 3512 wmic.exe Token: SeSystemEnvironmentPrivilege 3512 wmic.exe Token: SeRemoteShutdownPrivilege 3512 wmic.exe Token: SeUndockPrivilege 3512 wmic.exe Token: SeManageVolumePrivilege 3512 wmic.exe Token: 33 3512 wmic.exe Token: 34 3512 wmic.exe Token: 35 3512 wmic.exe Token: 36 3512 wmic.exe Token: SeIncreaseQuotaPrivilege 3044 wmic.exe Token: SeSecurityPrivilege 3044 wmic.exe Token: SeTakeOwnershipPrivilege 3044 wmic.exe Token: SeLoadDriverPrivilege 3044 wmic.exe Token: SeSystemProfilePrivilege 3044 wmic.exe Token: SeSystemtimePrivilege 3044 wmic.exe Token: SeProfSingleProcessPrivilege 3044 wmic.exe Token: SeIncBasePriorityPrivilege 3044 wmic.exe Token: SeCreatePagefilePrivilege 3044 wmic.exe Token: SeBackupPrivilege 3044 wmic.exe Token: SeRestorePrivilege 3044 wmic.exe Token: SeShutdownPrivilege 3044 wmic.exe Token: SeDebugPrivilege 3044 wmic.exe Token: SeSystemEnvironmentPrivilege 3044 wmic.exe Token: SeRemoteShutdownPrivilege 3044 wmic.exe Token: SeUndockPrivilege 3044 wmic.exe Token: SeManageVolumePrivilege 3044 wmic.exe Token: 33 3044 wmic.exe Token: 34 3044 wmic.exe Token: 35 3044 wmic.exe Token: 36 3044 wmic.exe Token: SeIncreaseQuotaPrivilege 1684 wmic.exe Token: SeSecurityPrivilege 1684 wmic.exe Token: SeTakeOwnershipPrivilege 1684 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 848 7zFM.exe 848 7zFM.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 4856 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4972 cmd.exe 4092 Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe 2052 Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe 2172 OpenWith.exe 2952 OpenWith.exe 848 OpenWith.exe 5652 shell.exe 3804 shell.exe 5568 VHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exe 5612 xk.exe 1720 IExplorer.exe 5332 VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe 5332 VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe 5964 WINLOGON.EXE 5332 VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe 5332 VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe 5332 VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe 316 CSRSS.EXE 2992 SERVICES.EXE 6136 LSASS.EXE 5304 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2748 4856 taskmgr.exe 98 PID 4856 wrote to memory of 2748 4856 taskmgr.exe 98 PID 3368 wrote to memory of 4972 3368 powershell.exe 104 PID 3368 wrote to memory of 4972 3368 powershell.exe 104 PID 4972 wrote to memory of 1864 4972 cmd.exe 105 PID 4972 wrote to memory of 1864 4972 cmd.exe 105 PID 4972 wrote to memory of 1652 4972 cmd.exe 106 PID 4972 wrote to memory of 1652 4972 cmd.exe 106 PID 4972 wrote to memory of 1652 4972 cmd.exe 106 PID 4972 wrote to memory of 400 4972 cmd.exe 107 PID 4972 wrote to memory of 400 4972 cmd.exe 107 PID 4972 wrote to memory of 4440 4972 cmd.exe 108 PID 4972 wrote to memory of 4440 4972 cmd.exe 108 PID 4972 wrote to memory of 4440 4972 cmd.exe 108 PID 4972 wrote to memory of 2256 4972 cmd.exe 109 PID 4972 wrote to memory of 2256 4972 cmd.exe 109 PID 4972 wrote to memory of 2256 4972 cmd.exe 109 PID 4440 wrote to memory of 3512 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 146 PID 4440 wrote to memory of 3512 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 146 PID 4440 wrote to memory of 3512 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 146 PID 4972 wrote to memory of 1920 4972 cmd.exe 112 PID 4972 wrote to memory of 1920 4972 cmd.exe 112 PID 4972 wrote to memory of 1920 4972 cmd.exe 112 PID 4972 wrote to memory of 2052 4972 cmd.exe 115 PID 4972 wrote to memory of 2052 4972 cmd.exe 115 PID 4972 wrote to memory of 2052 4972 cmd.exe 115 PID 4972 wrote to memory of 4092 4972 cmd.exe 118 PID 4972 wrote to memory of 4092 4972 cmd.exe 118 PID 4972 wrote to memory of 4092 4972 cmd.exe 118 PID 4972 wrote to memory of 4592 4972 cmd.exe 120 PID 4972 wrote to memory of 4592 4972 cmd.exe 120 PID 4972 wrote to memory of 4592 4972 cmd.exe 120 PID 4440 wrote to memory of 3044 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 121 PID 4440 wrote to memory of 3044 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 121 PID 4440 wrote to memory of 3044 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 121 PID 4972 wrote to memory of 1256 4972 cmd.exe 123 PID 4972 wrote to memory of 1256 4972 cmd.exe 123 PID 4972 wrote to memory of 1256 4972 cmd.exe 123 PID 4972 wrote to memory of 5020 4972 cmd.exe 124 PID 4972 wrote to memory of 5020 4972 cmd.exe 124 PID 4972 wrote to memory of 5020 4972 cmd.exe 124 PID 4440 wrote to memory of 1684 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 126 PID 4440 wrote to memory of 1684 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 126 PID 4440 wrote to memory of 1684 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 126 PID 4972 wrote to memory of 2444 4972 cmd.exe 131 PID 4972 wrote to memory of 2444 4972 cmd.exe 131 PID 4972 wrote to memory of 2444 4972 cmd.exe 131 PID 4972 wrote to memory of 2200 4972 cmd.exe 161 PID 4972 wrote to memory of 2200 4972 cmd.exe 161 PID 4972 wrote to memory of 2200 4972 cmd.exe 161 PID 4440 wrote to memory of 1716 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 137 PID 4440 wrote to memory of 1716 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 137 PID 4440 wrote to memory of 1716 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 137 PID 4972 wrote to memory of 1088 4972 cmd.exe 142 PID 4972 wrote to memory of 1088 4972 cmd.exe 142 PID 4972 wrote to memory of 1088 4972 cmd.exe 142 PID 1848 wrote to memory of 1720 1848 trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 165 PID 1848 wrote to memory of 1720 1848 trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 165 PID 1848 wrote to memory of 1720 1848 trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 165 PID 1848 wrote to memory of 1720 1848 trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe 165 PID 4440 wrote to memory of 3512 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 146 PID 4440 wrote to memory of 3512 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 146 PID 4440 wrote to memory of 3512 4440 HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe 146 PID 1088 wrote to memory of 2328 1088 Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe 148 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00432.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:848
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exe3⤵
- Executes dropped EXE
PID:1864
-
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exeHEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exeHEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exeHEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵
- System Location Discovery: System Language Discovery
PID:3512
-
-
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exeHEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 8764⤵
- Program crash
PID:3952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 8844⤵
- Program crash
PID:3988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 9284⤵
- Program crash
PID:3340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 8924⤵
- Program crash
PID:3536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 10844⤵
- Program crash
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 10844⤵
- Program crash
PID:2028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 16044⤵
- Program crash
PID:4360
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\cbf50b2d-acf6-4ef9-a42d-eddcebc463d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5196
-
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exeTrojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 2364⤵
- Program crash
PID:3376
-
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exeTrojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exeTrojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4092 -
C:\Windows\xk.exeC:\Windows\xk.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5612
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5964
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:316
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2992
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6136
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5304
-
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:5904
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:1720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵PID:3912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:5144
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:3136
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:5488
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵PID:2952
-
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exeTrojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4592
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exeTrojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1256
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exeTrojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:5020
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exeTrojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 3004⤵
- Program crash
PID:4328
-
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exeTrojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exeTrojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exeTrojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:2328
-
-
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exeTrojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\huter.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5652
-
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\sanfdr.bat"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3804
-
-
-
C:\Users\Admin\Desktop\00432\VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exeVHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2200
-
-
C:\Users\Admin\Desktop\00432\VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exeVHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5332
-
-
C:\Users\Admin\Desktop\00432\VHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exeVHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5568
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 19201⤵PID:5084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2256 -ip 22561⤵PID:2952
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2172
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2256 -ip 22561⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2256 -ip 22561⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2444 -ip 24441⤵PID:4340
-
C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe"C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe" C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe"C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe" C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe2⤵
- Executes dropped EXE
PID:1720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2256 -ip 22561⤵PID:2736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2256 -ip 22561⤵PID:4360
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2256 -ip 22561⤵PID:1500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2256 -ip 22561⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5332 -ip 53321⤵PID:5240
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:5556
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:5856
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:6008
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2760
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:5328
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1068
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c8 000000841⤵PID:5568
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 000000841⤵PID:5964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51ac38ef82ed0ab223e7bac149819f0e6
SHA1e50665f30cd4188c8853fab528fc27b8d8365101
SHA256b1c41c8024fc39d61af09ce0a6410453d0ea562628801f114b89674ac6d1f007
SHA512ec5c9fd37ee71a90935cb7c27bde96783f9aa750d377cac5d41c87f098ac4a2f3442e0a8a788d97a1f979641016c0d6e2d27e22908492e8cf9531d00b4761952
-
Filesize
5KB
MD540c480610ee5176f172a9789b798bdb9
SHA1004d0645c88e8bbc9ebd019287a6006109703b30
SHA2564219b8e3ccd0fd12ea9868207b3cda075e1fbcf2f30bc719af966fc3afa6ed6b
SHA512f6ac5b4e2d84ca5e97240727db2744c0f49df8ee0f6bdb4247a97aced01693da7525bfaf56786b48c69c1a793d47536ffb1640a16973177408c4322493d84dcb
-
Filesize
5KB
MD50f6301b58593493a78ddef92985b0e97
SHA1c4db40b8a3e15858a9a86a8927de10dfbdc907a7
SHA256bacaa6753225fbdca83072c1988c34393d7f63d8872e8592fa93214cd90c78d9
SHA51213cf2eeaed53cc3f29c223b0b4a702744f5e206b5b7b1b4798a675cff7dead03e81d3d35886a1d3fe93c8f1be092944d90762656fa9c69fe3ab4263566c1ed13
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old.lockedfile
Filesize8B
MD5a411785b59052a6a640c1d7ea92cef56
SHA10e15cff171cfb5a396b1a9920f7c381e27629d1e
SHA2566ea87249bdbae977e123cdba26d2b94a65d14acb8015a6a7b0ad6d74a8ebe8b0
SHA5123162400372d9949e3952f366c31bc85ef68fefb3b08216356b21dec1d7e37f8f336a889901a9cda3d2c67011c8c56ed1b6bc5f24eb47a6d4683b5083935ee06d
-
Filesize
5KB
MD5b8ff29e260e42524626a89983db309ab
SHA1034367be36fb0d719f1986166312da6c58377691
SHA256f4ba77ce71d55b23765288aaa35df7085036243d31ea51208a5cf7e6178598d1
SHA51295acf729c38fda89e9211c3885ff3d45d8b965a9c5477da00613015b65203e34d5987a1fb6fecf4fc4035960d5d639bf98aca4d9b0df992579b23f0fceb64d40
-
Filesize
332KB
MD51df0cc6af96d03eb9ec8576dbe9f00f5
SHA1484c74492afcdd60d02f482423714d13e098615b
SHA256472ba7c83ba9e9f3f8a2c7236d876973f02a9b90957ee8f33013d92114a8d19a
SHA5122d9813aa4a93d620991e49c3885c5127c388e8fd3c63347a5af72156c17d058d019dc4976ae98c889a5f0edbaefcfdf1e90bde56688f40495b77a454469484b9
-
Filesize
6KB
MD564bbef1d07b86c20c72afb68342816ef
SHA1ba67ba676bb20f0412c39c98b94be19c205ac598
SHA256ddef92baac329cfac9ffda9e714dee82447a0eec87a9ddbc507a0005f2d813df
SHA51296c15c0aaf4acd3d641245caf6a091f48a547f064d92073f9fe9d8963a2b98b590e9b4f76b01291c119ad1061c7392c41ad359eeec31196a449a77b49d771132
-
Filesize
1022B
MD5d80618c8979264d132d76474180554bb
SHA12657add78d90b07ef6fae7ecf04a3c1b25c50549
SHA25649279b8f083eaf184319375e1b4a349d903b2ae0a4cc795a805550fd82c502e3
SHA512fd0daff1fbe0f01f9055f820030d4e910c74911caa1dc4c205f3249eb12d887f5961706b976089215fa4b7427b63cb5e1bec164e27795294e51ae3d66570cbf8
-
Filesize
90KB
MD56daf8b55801a602f84d7d568a142459c
SHA157a80ca9621b282727d45caa5ae1c5e3c7e93f60
SHA25666d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88
SHA512abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e
-
Filesize
1.1MB
MD555a29ec9721c509a5b20d1a037726cfa
SHA1eaba230581d7b46f316d6603ea15c1e3c9740d04
SHA256dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce
SHA512e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3
-
Filesize
2.5MB
MD59e9e57b47f4f840dddc938db54841d86
SHA11ed0be9c0dadcf602136c81097da6fda9e07dbbc
SHA256608feafc63a0d1b38772e275c9e6d3b8a5b03efc0a27eb397107db0a6d079c50
SHA5121a0dab38ebf4d995bcda3bdf0453c85d524cc1fff1c1b92160794d7c2f98f53088ba15c4b00b35d06e0be82a4bfa6d92cd4f09dec4ec98d615a82d5ffd5cb6c2
-
Filesize
108KB
MD5c7d86a10bfcd65e49a109125d4ebc8d9
SHA15b571dc6a703a7235e8919f69c2a7a5005ccd876
SHA256c4db872ff7d301186516882ea06422aee29e1c11b44a4d382addd5b801207818
SHA512b7563b4d27713ec4308c24a0b15c02fb16e184b98bb73a4616792508f4ba57fe237186595b55e3fa476d6959388edd8678ea516ce620ee90c909a7b988d8b908
-
Filesize
98KB
MD5c8311157b239363a500513b04d1f6817
SHA1791d08f71c39bb01536f5e442f07ac7a0416b8a7
SHA2567de358652c1732caf72f968a664301e256aae281003ddcb0f5ecef4b13101009
SHA512ab9dadd65c582f2b12af49448fa4f5a96da00abcc257722331ac7e9cad2e2770fdb7a0f2db32c113f2df33e6c84c8c0d594a36f1fb4f3a9ccdb8f3dc1ddfbdbf
-
Filesize
6KB
MD5d30e9bc025e945891f107f04bcae994b
SHA10820942ff36a3706424c51bbf8c938caa8f32e72
SHA2563ce91b610359b7c754682477a64c0e65e343fbbb7edaaffa90da6de0f80abf9f
SHA51291f328b85d5712e3d6bbb01605f82b2fa75d393795a062eb6f8cf1686d6c55a283c4bf715415dcce8806f4bccfb0487e3bf0fecf5f8938223fbeae2f36ad3738
-
Filesize
69KB
MD5813c016e2898c6a2c1825b586de0ae61
SHA17113efcccb6ab047cdfdb65ba4241980c88196f4
SHA256693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724
SHA512dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad
-
Filesize
388KB
MD5bafe1a2db7031dd88803341887712cc5
SHA139daa19fc8c0b4301edb0c9fd3c3bc8abfea147f
SHA256074f23f9710bbcf1447763829c0e3d16afa5502efc6f784077cf334f28ceffb7
SHA51298395582c72e406254ade6a3b06cddecdce3b38a3a03aa9eb0bb6f81d6ac690beded7b88c4f2e5787d5aa062913080915e7e49198753cc851e8e4ef55432a9df
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
89KB
MD579df34c3f1e479d6ba436b3a8dc593ca
SHA1b3ce27bb8261f20806b2f4a68fe1cbdb57719635
SHA2561599e6892eab1915b6967ee24d5b37c4cad14cb291d725f8dc5986003c6d776b
SHA512a6b97f08334adc66e4220433def6f3951181b105faa2d825fdb56bf3b2bca4ef3feca4b711b9b635c4a261f6e4fdcd262dd7ffbabdf70d36772ec831e39f53a4
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2305a47a8d828f936f9d43f2807193e56d823c2cb35fe31984d54078f5f0b1f6.exe
Filesize1.4MB
MD563af2cd5308dbba560add5b9c181a300
SHA1671802c44d8e889f4647f80b07784778fbdd8818
SHA2562305a47a8d828f936f9d43f2807193e56d823c2cb35fe31984d54078f5f0b1f6
SHA512e55c6cf3053cfa102dd6011ce8876492bdfc0d2b294d2b4ab111f7134e865800ff77373587745417b8a65ce2811aeaf9e69a4c8bb219f726679dd42e37ad00d8
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exe
Filesize10.2MB
MD5ecc8484da9a95060e49169cda83227b1
SHA1a6689067904a3cd992efa151ba2bff1a63e27d3e
SHA256538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
SHA512119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe
Filesize69KB
MD5c7eb863fdc994eec0bfa260d3da433aa
SHA1eba182f7cd9fa9b4c4bd513d78d7b71bdfbb36e1
SHA256dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973
SHA5123b615790ee762c4bff2ecab984d1c09ef8211db929bdda87db4957be7ebfccbddcb588654ac1ee7a3ffbc780ba18f6bc83716eafafb1c62f3a7aa096577a0f3a
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe
Filesize2.5MB
MD54367dd86a7b732a836216bb9e539511a
SHA1ac976eb60e523de0a2355b45a8ee7bad80361df9
SHA256522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9
SHA5121fb3185f32dd0b59c267cbe66f12cdb9ea5bcb8b6feeddefba81c22ed192fbc23bb6be1f4588de0986dcb2fe760ba4c5e6db3e14a87349451aa7c13198f5e822
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe
Filesize138KB
MD5a5a79b0e689bb77cf69b2a9eac9870da
SHA146c1e6b3e0c1fc29d6e85d37218480248df5a738
SHA256a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5
SHA512e19ab7bc322d294d745d57e7488831e513f449bbd67406ab55fadcbe707a7213167b9225abad73a2edf54281edf9b82b22ecb1a8e4ee12c9a48f5dc8d5a2c95e
-
C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe
Filesize870KB
MD5801baebfd615d2e60cf2bd13ff1c4564
SHA11c8a61e8a30fecb46c8818290b4e36e3fa76b1c6
SHA256b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891
SHA512e22853621527b3cdb1dd88df4c2367faaab614a6694add5a097f3b425209285bfee20ba3240e185b644cd45a322e8b1c1f8c22149311717786b61a137400c9c3
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe
Filesize511KB
MD50af75cf21d876d192ebc9feea5133db5
SHA1f3e0d8a7bda373ac82a8ad2a8286a1aceda3351f
SHA25621c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f
SHA512a1f2940a37caed3a884d09c01e28fb2cd9d21652aa7b544c5c82f7b75cbaa8114963c53608f4f147c2c73abb20b2df9505e2b2826769ca30d83619a21c3dec03
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe
Filesize5.5MB
MD5dc52ae607e2edaa0fe70a9fca624a531
SHA19aae3411a81ab2fc08cc3c998dd0ec412bd8289c
SHA256a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb
SHA512ebe582e40a5e8980d016eaa20a379fc4fe2e537216d5809a0bc34a50cce7086147abe0ed6a65725acf47e48ff92e7766734ccb17f493940f19f38ec9651dc1f2
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe
Filesize319KB
MD5c3cfc8eb42199c7c107b756573d0fb3d
SHA14952d71033a5a1f7baf17a458cc734f1147fddad
SHA256d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055
SHA5128cd8ed6b2179c2bb3e68b0e106ba47dd32d57a54db95878d2eb4d727c86ca92fff74eb792e1d5383ba3965aa872a65c56878fc0b16c9acfd2623b13194a17b74
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe
Filesize640KB
MD54a5d200f90233825d13cbfa353e12191
SHA1288f0e2d566ff87a65595adc2e4db83b5726ba4a
SHA256f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2
SHA512fe26c907a314d98f1b486e4499b7fcf849e0dd17e1072f82c46ad559bc9eda5fb714e3eb5d4acb3d0ba7ceb89408fc4464dc38c9469b346941accd3a02a53a72
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe
Filesize316KB
MD5d56166e3e18c032a94f88b1178078a0e
SHA14308372b50daef490c0205a29481cfa9d690fbd2
SHA256028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2
SHA5122e36bddeafd294a2c938e06af305e98a786324ecdd80af47265f882262355510de5f81413d13780f5dc184a77aa51b049d1059c959520e42bacd5b895e8beebe
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe
Filesize3.0MB
MD52395c6f71d7470a5c855b3533ff1a597
SHA152ce032449dc90e967760cd11d7a9a281a5a8d18
SHA256b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed
SHA5121c249b8e4e8c6a5bacc9e176c1b7af581afb2ffe567f2a15f785cab6993cbd7cf00268a032da89b163614938b9c2a2898148f71d66265e0523a5f394cb56254f
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe
Filesize5.3MB
MD5717e10d02fae3ce3afe1d66981aeec1b
SHA173a66d432fd7bd6c8670f4d19da7ce26d63d9111
SHA2568e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7
SHA5122c92440a834547a9a8787bce3a689e1a5ad5f64a3ec8c4b79586b438efd9e0ebaf3184c74b5abae5e3a7dae6db81b1a0f78eac3318dea6c41f65b667cc182d01
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
Filesize470KB
MD5ba83f22e4a32663a4aad9c6e532104ae
SHA11f8c8864a18264eb84fb1feba6dd620b7a17c333
SHA256bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8
SHA512846520d0c6f4d362db87cfb002b24055ca6103178c6afac3aa8b75f0cb8c767394e892da74c1c43eac8ca584da87b2be864ca7859463d8de4e967c5b113040aa
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe
Filesize7.1MB
MD54cded1d7ee1b430cd4d89557e8c2e3b3
SHA1a9a88c014ef30295944486fc582f549e4d73e104
SHA256670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688
SHA512743f2edc5574681bab59dfd39ad6b20be53ad8149a16a84ee73169275b9b0d824b6cbaec2dfc1a9db48ecedec8e50b7c18513f7345857e6952d7203e959c1319
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe
Filesize89KB
MD5f2ba9f28bb49437dc44bc83efa969c53
SHA1dd0c2309460f19cd1eae3a9d03f78ed2387c77bc
SHA25643497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a
SHA512d2acc2bb09b5ecf7aac52202982e7cf8151fd5ee3937c7cc84a0224fbda758c04c9484869be14b0aee257e1882f40d8b1859a73848ea7c1adf765648bc83f137
-
C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win64.Agent.dhx-fc06ec0272e384e8bc295d6f4b1c86d7ec9fcee704476663566e78b47b05263a.exe
Filesize2.3MB
MD503a630206c581d4f2038df04a8d08d64
SHA14a5fc77fed52f4bc777c74e92d735bf3e625cae4
SHA256fc06ec0272e384e8bc295d6f4b1c86d7ec9fcee704476663566e78b47b05263a
SHA5124e41974303246214fda3d0b4cbaf50edfd1534245ed70d9550b54659198e390c3309fa2348c3c1363851447bfd15e7a782d4d63f6c028f5a1045f80415405004
-
Filesize
722B
MD50f35ec03671ffcd3cee879e5f217badd
SHA15979f22300d21ffc3cf8ddf28b5dde64471b271f
SHA256c2742893ca6be23880321184d0bf29d2e318f6193288a287913c78f4b15dc90a
SHA5127c710d10fc6c19e3c9df3a4add4079369f26fa50bac18d252f5a7ac3f1fa79d453d7b7535f8abf76ef610db4e9aa37181bbf0ea21e6ec159d4097a655e3bf1b6
-
Filesize
1KB
MD5134b17d6ccc5158cc32c664b5f4245c5
SHA1404d65e237f053b0b03812b5330aa37156d35090
SHA25670d5ef14555f6f634df47258c652532ccc483a61631b7a40f89acaad7738e304
SHA5126cd12ea10ce3cfab5b9be294bc2a7c1b13e85997bdae006955b0eef43ab1d70c3ecd9c7b5791ea2227456c02c3dcf684efa19a0358b7d0bfd337e611d8900fc8
-
Filesize
1KB
MD55ea651427fd4122d1505a833aa88bf63
SHA1981a211f729a68cb37a72ebe7694a515f1fdd8bb
SHA256c8b17ac4956a905368f4e8d817d02adb9e0d1ccb92d22042ee982bc8eee3b4b7
SHA512eac20febf1dc4c6dedf665567dbd3bdc49556e7c88c04b98b80b638b82996ec4c0f136850ce1ca4369e13cf8097467d2f5157cb7695cec9ac41b8892a2444225
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9
-
Filesize
217B
MD5c00d8433fe598abff197e690231531e0
SHA14f6b87a4327ff5343e9e87275d505b9f145a7e42
SHA25652fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e
SHA512a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1