azorult | 1d5dce56b1bf8f92c234163db2d3338db08aa0a94acdbd6a9ec131ba1531b6ca

Analysis

max time kernel
99s
max time network
79s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00331.7z
Size

829KB
MD5

7b31fb85873a3c577a52b0b57ba94432
SHA1

c476494ddfa833612be0a4d6a8492bba08380994
SHA256

1d5dce56b1bf8f92c234163db2d3338db08aa0a94acdbd6a9ec131ba1531b6ca
SHA512

be6b0cb9fb54b536e246e9e944f1f5b988936de73abec380f2f14527b3c9abadbb6df3e8c96d1255e66af16494c0464179adc2699d092fcd297c31c581eb1ea3
SSDEEP

24576:Qo2pvlAY6jcuObIc1SN2UiI+Ud5+DS9l8ROn:mpvlsYIcYN2FnUdQS9qROn

Score

10^/10

azorult emotet aspackv2 banker discovery infostealer persistence ransomware trojan

Malware Config

Extracted

Family

azorult

http://admin.svapofit.com/azs/index.php

http://plagueonline.com/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000018c26-36.dat	aspack_v212_v242
behavioral1/files/0x0008000000016d46-33.dat	aspack_v212_v242
behavioral1/files/0x00050000000191ff-86.dat	aspack_v212_v242
behavioral1/files/0x0006000000018f53-307.dat	aspack_v212_v242
behavioral1/files/0x0006000000018c26-304.dat	aspack_v212_v242
behavioral1/files/0x0006000000018f53-363.dat	aspack_v212_v242
behavioral1/files/0x0006000000018c26-360.dat	aspack_v212_v242
behavioral1/files/0x0006000000018f53-372.dat	aspack_v212_v242
behavioral1/files/0x0006000000018c26-369.dat	aspack_v212_v242

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Executes dropped EXE 28 IoCs

pid	Process
2748	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
2612	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
2640	Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2616	Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
2636	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
1688	sketchenums.exe
2776	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2756	Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2044	Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
2872	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2940	Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
1132	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
1888	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
824	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
2556	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
1416	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
888	Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
1628	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2256	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2860	Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
2784	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 3008 set thread context of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 2708 set thread context of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 1892 set thread context of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 2256 set thread context of 2784	2256	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	67

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sketchenums.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2160	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2748	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
2612	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
2636	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
2872	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
824	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
2556	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2068	7zFM.exe
Token: 35	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeDebugPrivilege	2340	taskmgr.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2068	7zFM.exe
2068	7zFM.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe
2340	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
2256	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2612	2748	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe	33
PID 2748 wrote to memory of 2612	2748	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe	33
PID 2748 wrote to memory of 2612	2748	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe	33
PID 2748 wrote to memory of 2612	2748	Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe	33
PID 2708 wrote to memory of 2852	2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	41
PID 2708 wrote to memory of 2852	2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	41
PID 2708 wrote to memory of 2852	2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	41
PID 2708 wrote to memory of 2852	2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	41
PID 2708 wrote to memory of 2852	2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	41
PID 2708 wrote to memory of 2852	2708	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	41
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 2760 wrote to memory of 2776	2760	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	42
PID 1720 wrote to memory of 2764	1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	51
PID 1720 wrote to memory of 2764	1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	51
PID 1720 wrote to memory of 2764	1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	51
PID 1720 wrote to memory of 2764	1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	51
PID 1720 wrote to memory of 2764	1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	51
PID 1720 wrote to memory of 2764	1720	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	51
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 3008 wrote to memory of 1132	3008	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	53
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 2708 wrote to memory of 1888	2708	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	54
PID 828 wrote to memory of 2352	828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	58
PID 828 wrote to memory of 2352	828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	58
PID 828 wrote to memory of 2352	828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	58
PID 828 wrote to memory of 2352	828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	58
PID 828 wrote to memory of 2352	828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	58
PID 828 wrote to memory of 2352	828	Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe	58
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61
PID 1892 wrote to memory of 1628	1892	Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe	61

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00331.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2068

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe"
1⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2776

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\notepad.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852

C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
"C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Windows\SysWOW64\sketchenums.exe
"C:\Windows\SysWOW64\sketchenums.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1888

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\notepad.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764

C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
"C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1628

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe"
1⤵
- Executes dropped EXE
PID:2940

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\notepad.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352

C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
"C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe
"C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1416
- C:\Windows\SysWOW64\notepad.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2256
- C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe
  "C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784

C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe
"C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe"
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestartUnblock.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.exe

Filesize
1.1MB

MD5
d3ad12a9b641f6203b41eb2202de1678

SHA1
771a5b1735f76d90ddf7363cef2120cb8216b723

SHA256
88f80bbd6b5200ad25479fe917ce5fb0ea5898cfd929bf496d5d1972f52a1f63

SHA512
302d9313402b06c4b8de217795740b7c515c0fe20d4ff9929f5a6789e942dfbb11ce42a0b8bed2c8f6cdff4b84e21f7ed312a230b3417acea8e2b1139222c6f7

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.9MB

MD5
c57ef16f967bb02e98e5679824b8e873

SHA1
2400e149510276003199956940c05f3d130334a2

SHA256
9383f9df196ee59a514e126efd91335c4ec38d099b0f21f47e4db614f5f9274f

SHA512
c337711cd77775688bab80f9675f85261d362825b63707b32466d326a065005c2f35b0e8ca2761d4f3ce1306ecea44bc8348d0c10fd4e2e8ba51cd8f3127bfaa

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.9MB

MD5
8095526409cb884bf5d89c28cfb7c861

SHA1
1e2faa7085692d437e97479463366cf9c254adf9

SHA256
ab4291d5b2385675ecd8974f0c5c3b7fe2750f4563b3bf308de0070715a924dc

SHA512
2ae6cabb6c9a944018227c5af27b5d00dff45b58ca5309f6a24d6e72a079bc39132875dfbbc86aabdfd1cb911de11d336f22efe7c92937d5cc439fbf4c744221

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.9MB

MD5
c139558a845223d02ef7ee6267524782

SHA1
99a0666c562ff341cb16ae96befe6182ba828a07

SHA256
2d0e4b0a9f86781bc60fbc31210bf0a886f8e5211826041cd34bfa98206fd676

SHA512
c19842050f4f250874637d6ea0c48bff1c2c240b74717feae4efc3dd04293fd348f37165ab1535f31d0d0358007372621d48f0af1192f5ef4b498a4d8b323d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VB73AA.tmp

Filesize
16KB

MD5
ed86c17b36df7bf1f7c3557690562075

SHA1
b981f25ff703aca09c352ef03cd534ae21b0f38c

SHA256
c5787206ea9e4abe0a6411e295e9b2ad5c85250590eb0c7c2034d7699da7f2a4

SHA512
daba85c7ad5d2f7032d955bdc940cda7d667a523c6fe908c4896e833524e356f95acdf36384ed0dc63997903cf63c81ccb7e0901d8e4a90c24be9beb5bba758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQCaq8CIhR1KoirkPNBT

Filesize
124KB

MD5
3453260dc95e53390f29c00d7276c55b

SHA1
072798c47cda0945a36b9f72e902e26fbe7f3e8e

SHA256
e1da358471952e688be56ea3f44eb0f55442bfa09579d055f1ef74c1e500aa1e

SHA512
6defc7ae0379025de696c78f03df52bb11ffe3956f09b04331eced463cbd226c3b2ff6b8afb01d8af205192b67048da78489ca40df27a628ee990989266192db

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQCaq8CIhR1KoirkPNBT

Filesize
124KB

MD5
aeeb8ace5e6045ad12e527e8c34512ef

SHA1
0a39ae14dd20ce0d2254acc5066fb1ee3ae15dca

SHA256
549f71c528d97015d58a70a0e110dbbdb5730af8d47d5e7eb41cab0ee7ee5b95

SHA512
93baed58741d93077c3f37a43c6792accba7ca5bec1fa5b1c7adfbd12af827927b87e29613829d2626c005d8a4317c5a4c2dca0ec849123bfe25a87d821557f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2ac862ad1578fd6bc168913c96d2d879

SHA1
19c61c500c2a157ccdfeec89c6b28e97519b963d

SHA256
59f53048a5d268402ca0f99c0e8212b53e93c392c4708312e7c091e70bb9af35

SHA512
aa04c8d39bbd47c35749e4ce4712f415155cce19f002f47b378663759cebb1f83f4e2707c1937d23ea4716e387edbf98000cb68db1fc4ea41289881d4cde8287

Download Submit
C:\Users\Admin\Desktop\00331\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5.exe

Filesize
1.1MB

MD5
05054500979f067f20e9ebe0f32fa39d

SHA1
45c004f4b0b18dc33eb9a83745fda39fb97daa87

SHA256
8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5

SHA512
1a006caca3a918fceef98d61bf3c23c3e8cbce83f065cb35ab674c82f8b98def9a62c4e54d2e109fb751637a6659471dd84bda4a4375ddade35d626f01a86f85

Download Submit
C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldfo-f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b.exe

Filesize
280KB

MD5
aa8fc64e0529300e746853ab157c6471

SHA1
16c4709b345a65faa1d08c1052f3e0f429fef433

SHA256
f9cd9d81f4fe831af469f2867ef4e59f1ae9f5844a00abf2699d54cb4540049b

SHA512
33e2fed483187ca75a5e198872855f4f34b97b2213a4a0cc863010b5484205fb226c116013709f8ff329aeeaa4916187ed5a91618048bf03bc9057ed57d916b9

Download Submit
C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldgc-253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6.exe

Filesize
215KB

MD5
e5835982150dbfa2b57b09e497e71bbc

SHA1
57ed578622d3f77e837d6e80ab3d4042bec0a812

SHA256
253715016906accf4ba348ea0b8fde47b22d3f364ade62a23b81f4b77cb468b6

SHA512
ff0f2b2aef14e11091e3ca7400f0aa6937b128ff47ddbb9635685edcb0314ebc61c0d67ae28af233d02800a39a2b143515acae3e5aae66c8506e5cf72a70fa97

Download Submit
C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Blocker.ldnn-4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463.exe

Filesize
284KB

MD5
9116a9907848ed817a0a5f05da96f3de

SHA1
c9f12d07b4f0c115cb4e408332462869aa18b63c

SHA256
4250f6bea988e7c845c9bb0a2c13f1828dbe125317060f7597cf3dddc446e463

SHA512
af1e4b8dd71144f5dda5ec3f176c17a266d1d16c8f8150e20d137f139d3594098c651cfb616d2a6e3d4e58bb93deccca4dbbf147064960f70909c99d6e973249

Download Submit
C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.GandCrypt.bye-ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63.exe

Filesize
245KB

MD5
f6ac568e1b803a126322affcc07efed6

SHA1
da1e43aca686c1735f0104abc2c24a2c2cd224fe

SHA256
ccdedde455797309a6e76fb93483a74d2fd53e375eff7433790e2738c0bf8d63

SHA512
4656a5b9c444b780006663bc3a7f66db1fe6052f043629208c56b959e5db02c7c6310d1567099f593a954656729c2be7a5d69ef09ca4a51a4a359322e06ab360

Download Submit
C:\Users\Admin\Desktop\00331\Trojan-Ransom.Win32.Spora.ffd-04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f.exe

Filesize
152KB

MD5
10ec30bdc186f1189c860b9e78c0d504

SHA1
ed190b7331cd4ee0ee00445cde9688c424dcfdb8

SHA256
04bbd72b1b29b28439c54e8c66bfea3675958ba2467f75d0f09ef384a358474f

SHA512
6808c32780fb8656a9c4ee2e2680581f302bab06cdf95bc96fb36bcc2d95d5f08d376281ee5f593e080602dfc3ba92ca0924831fdb905a231ae6c0ffe387b37c

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
1.3MB

MD5
380005f15f7d5e5a5f1514a5cf6a2c53

SHA1
a32f27fcca658453bbd078bb16d9f7169ff63da4

SHA256
02c717e3f2afbbd038ce25297ee28af0e16b115215ef0110d55304c6b1ac0a38

SHA512
fc08fa13eda078a57723a7615cbab57deb0c4986b3bbf9e9fd5973af22b06160f38b1a1bf1d42bac16ef700050f61aa4841ee9493e97ba7c1955667899cc58f8

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
1.3MB

MD5
bb0bda593e5ada4b2bde04f01ac817cf

SHA1
2856361b9e9a1d86e2c93f8e3638325f45f9d704

SHA256
eb151e950607fc18380ad8247395e29cebc689001000433c97763c3d0346694d

SHA512
8d9270b7fee8e8fdef7e75674bc7e83f3ff9b79007c3d8e7ba135ba1ed1a64a9178b0df3e7a92d3ede6ed3904f8d4d328f0616e1284bcd79fab0225fc03d257c

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
1.3MB

MD5
0d861ea9c82c5407c939cfb2abcaec6b

SHA1
0dfa31e343eacad121010643c4d6769df1fc2b46

SHA256
31c1f0c479b3b16ab49e7a854eea37b8f4bcd8c457047c6e41e874583f21b8d7

SHA512
a3bbf01bb0606bb402843c6a7c98acfdbfc323dbc94c5b6d4753133a2715afa1853694078056ea48f6d3927c7e10d91f0a758b18ab61248512a3dcba236e83ef

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
1.3MB

MD5
8204c6ee93bc36366761b0ccccb3ee27

SHA1
88cb5909507246a0933063d379c45d128cbd8fca

SHA256
e4413c07a03edb7c0657a642ee02b1525b665ba9abb84d7198ff7eaff2c566f6

SHA512
acdb3c0cecb4bfb04b6090af4ef9cf6450487a13572b9ed5940723795293095c6327efbaeb702fd4501b6d7a277364b53b96745109e8ca6d8fc1ec7eed06786c

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/888-396-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1132-345-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-357-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-301-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2340-462-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2340-461-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2352-386-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-24-0x0000000001BB0000-0x0000000001BC6000-memory.dmp

Filesize
88KB

Download
memory/2612-20-0x0000000001BB0000-0x0000000001BC6000-memory.dmp

Filesize
88KB

Download
memory/2612-272-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2616-53-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2636-288-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2636-276-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2636-316-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2636-350-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2708-44-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2708-45-0x0000000000320000-0x0000000000367000-memory.dmp

Filesize
284KB

Download
memory/2708-42-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2708-43-0x0000000000940000-0x0000000000AC0000-memory.dmp

Filesize
1.5MB

Download
memory/2748-14-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2748-18-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2764-337-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2764-328-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-284-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2776-282-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2776-278-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-273-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-393-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2872-347-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download