9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cf

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/10/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
Size

612KB
MD5

d6b5b3d0a17b1f347665d4e55f8b3df0
SHA1

205749f118c2ca5cb822556e6f50ca86c3ee78b3
SHA256

9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cf
SHA512

6dccfca6772e302a4abbddaefcdaad718c106005b7d627a0a6ca91c3325355448ce43432bef8f3229c7c35bcb8c28b1bc8a8dbb670d53ba842b9430c4b2015df
SSDEEP

12288:k1XgVeBOuW1cLcOtoqSuL0xkpPc9EcgyCBUxaNH3bCdGP/g7i7s:k1XgVeBOuW1cLcOtoqmkpP91bCdk/Fs

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\#HowToRecover.txt

Ransom Note

Your Files Have Been Encrypted! Attention! All your important files have been stolen and encrypted by our advanced attack. Without our special decryption software, theres no way to recover your data! Your ID: [ 79366A5B-1337 ] To restore your files, reach out to us at: [email protected] You can also contact us via Telegram: @Hedaransom Failing to act may result in sensitive company data being leaked or sold. Do NOT use third-party tools, as they may permanently damage your files. Why Trust Us? Before making any payment, you can send us few files for free decryption test. Our business relies on fulfilling our promises. How to Buy Bitcoin? You can purchase Bitcoin to pay the ransom using these trusted platforms: https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/en-gb/how-to-buy/bitcoin https://paxful.com

Emails

[email protected]

URLs

https://paxful.com

Signatures

Renames multiple (7752) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\PREVIEW.GIF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVTEL.DIC	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099151.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00433_.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACC.OLB	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_F_COL.HXK	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01866_.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00086_.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULQOT98.POC	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\#HowToRecover.txt	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2928	vssvc.exe
Token: SeRestorePrivilege	2928	vssvc.exe
Token: SeAuditPrivilege	2928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe
Token: 35	2672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe
Token: 35	2672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2828	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	33
PID 2208 wrote to memory of 2828	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	33
PID 2208 wrote to memory of 2828	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	33
PID 2828 wrote to memory of 2672	2828	cmd.exe	35
PID 2828 wrote to memory of 2672	2828	cmd.exe	35
PID 2828 wrote to memory of 2672	2828	cmd.exe	35
PID 2208 wrote to memory of 2704	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	36
PID 2208 wrote to memory of 2704	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	36
PID 2208 wrote to memory of 2704	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	36
PID 2704 wrote to memory of 2652	2704	cmd.exe	38
PID 2704 wrote to memory of 2652	2704	cmd.exe	38
PID 2704 wrote to memory of 2652	2704	cmd.exe	38
PID 2208 wrote to memory of 2728	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	39
PID 2208 wrote to memory of 2728	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	39
PID 2208 wrote to memory of 2728	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	39
PID 2728 wrote to memory of 2212	2728	cmd.exe	41
PID 2728 wrote to memory of 2212	2728	cmd.exe	41
PID 2728 wrote to memory of 2212	2728	cmd.exe	41
PID 2208 wrote to memory of 2820	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	42
PID 2208 wrote to memory of 2820	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	42
PID 2208 wrote to memory of 2820	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	42
PID 2820 wrote to memory of 2632	2820	cmd.exe	44
PID 2820 wrote to memory of 2632	2820	cmd.exe	44
PID 2820 wrote to memory of 2632	2820	cmd.exe	44
PID 2208 wrote to memory of 2380	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	45
PID 2208 wrote to memory of 2380	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	45
PID 2208 wrote to memory of 2380	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	45
PID 2380 wrote to memory of 108	2380	cmd.exe	47
PID 2380 wrote to memory of 108	2380	cmd.exe	47
PID 2380 wrote to memory of 108	2380	cmd.exe	47
PID 2208 wrote to memory of 2580	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	48
PID 2208 wrote to memory of 2580	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	48
PID 2208 wrote to memory of 2580	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	48
PID 2580 wrote to memory of 2576	2580	cmd.exe	50
PID 2580 wrote to memory of 2576	2580	cmd.exe	50
PID 2580 wrote to memory of 2576	2580	cmd.exe	50
PID 2208 wrote to memory of 2964	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	51
PID 2208 wrote to memory of 2964	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	51
PID 2208 wrote to memory of 2964	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	51
PID 2964 wrote to memory of 2840	2964	cmd.exe	53
PID 2964 wrote to memory of 2840	2964	cmd.exe	53
PID 2964 wrote to memory of 2840	2964	cmd.exe	53
PID 2208 wrote to memory of 2460	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	54
PID 2208 wrote to memory of 2460	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	54
PID 2208 wrote to memory of 2460	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	54
PID 2460 wrote to memory of 988	2460	cmd.exe	56
PID 2460 wrote to memory of 988	2460	cmd.exe	56
PID 2460 wrote to memory of 988	2460	cmd.exe	56
PID 2208 wrote to memory of 1620	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	57
PID 2208 wrote to memory of 1620	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	57
PID 2208 wrote to memory of 1620	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	57
PID 1620 wrote to memory of 1656	1620	cmd.exe	59
PID 1620 wrote to memory of 1656	1620	cmd.exe	59
PID 1620 wrote to memory of 1656	1620	cmd.exe	59
PID 2208 wrote to memory of 2004	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	60
PID 2208 wrote to memory of 2004	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	60
PID 2208 wrote to memory of 2004	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	60
PID 2004 wrote to memory of 808	2004	cmd.exe	62
PID 2004 wrote to memory of 808	2004	cmd.exe	62
PID 2004 wrote to memory of 808	2004	cmd.exe	62
PID 2208 wrote to memory of 664	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	63
PID 2208 wrote to memory of 664	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	63
PID 2208 wrote to memory of 664	2208	9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe	63
PID 664 wrote to memory of 1572	664	cmd.exe	65

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe
"C:\Users\Admin\AppData\Local\Temp\9befb88861ef0fed20aab3ba204ac8ca250f68930f685485898c7c18d262c0cfN.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
    3⤵
    PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
    3⤵
    PID:2840
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
    3⤵
    PID:988
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
    3⤵
    PID:808
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
  2⤵
  PID:2464
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
  2⤵
  PID:1696
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
    3⤵
    PID:2476
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
  2⤵
  PID:1732
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
  2⤵
  PID:2008
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
    3⤵
    PID:1124
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
  2⤵
  PID:692
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
  2⤵
  PID:1060
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
    3⤵
    PID:296
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
  2⤵
  PID:1412
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
    3⤵
    PID:716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2208 -s 628
  2⤵
  PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\#HowToRecover.txt

Filesize
871B

MD5
e6e8bd3a31703b45fbef54610e003704

SHA1
1aa559d72445e32dd99fb4e2e04bfa085bced575

SHA256
275a641e27e9d67840dff6f0b759493a8abba39beb3a160c89ea50d260db25e4

SHA512
bdc9ddd99f6166b6b1b40eb617344286beb64c896e2aad0aa1d6fc35c2bab3ae006c4b501742166b74fd178d12b0e7a660f2f0d4a7a176ff4908e92b905fa445

Download Submit