cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1563s
max time network
1563s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Size

100KB
MD5

a94f5fa05150bf568a3c2d719ace2c02
SHA1

51bde3d8160a6e9eec4d0f445ef3b27076dddfbf
SHA256

7a3f89664c70aa0f6614ef731e9eddb061394497daeaf0720b89fee47af2f242
SHA512

6dee48b6d24f2a4361d03797af8aa6561ff6ae05f882b3f4d6034fde094b4bfa596f61b446258232e7657484d9ff00db6631eef527fffffe78651895c2bdeae6
SSDEEP

1536:ueBhQ2N/dYPAvq4OMZdRpK8WKzAlEEv4fvQUiEEvA2DsBpRLInFhm4zX:VtHy4OSLpKpe8Dvgcv8pRQm4

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here:-> http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe\""	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Security Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe\""	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_80add89c1c9b74ea.exe\""	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*SecurityFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_80add89c1c9b74ea.exe\""	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\M:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\U:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\V:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\B:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\H:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\I:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\X:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\K:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\L:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\R:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\N:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\O:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\P:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\S:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\T:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\W:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\A:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\E:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened (read-only)	\??\G:	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1288	vssadmin.exe
1096	vssadmin.exe
772	vssadmin.exe
2360	vssadmin.exe
684	vssadmin.exe
1908	vssadmin.exe
2356	vssadmin.exe
3032	vssadmin.exe
2468	vssadmin.exe
1308	vssadmin.exe
2880	vssadmin.exe
2020	vssadmin.exe
1688	vssadmin.exe
1176	vssadmin.exe
288	vssadmin.exe
708	vssadmin.exe
1276	vssadmin.exe
1504	vssadmin.exe
2900	vssadmin.exe
1544	vssadmin.exe
2700	vssadmin.exe
2948	vssadmin.exe
1056	vssadmin.exe
2928	vssadmin.exe
2560	vssadmin.exe
2012	vssadmin.exe
1144	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2888	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: SeBackupPrivilege	2936	vssvc.exe
Token: SeRestorePrivilege	2936	vssvc.exe
Token: SeAuditPrivilege	2936	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2056	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	32
PID 2716 wrote to memory of 2056	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	32
PID 2716 wrote to memory of 2056	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	32
PID 2716 wrote to memory of 2056	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	32
PID 2716 wrote to memory of 1752	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	34
PID 2716 wrote to memory of 1752	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	34
PID 2716 wrote to memory of 1752	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	34
PID 2716 wrote to memory of 1752	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	34
PID 2056 wrote to memory of 1176	2056	cmd.exe	36
PID 2056 wrote to memory of 1176	2056	cmd.exe	36
PID 2056 wrote to memory of 1176	2056	cmd.exe	36
PID 2056 wrote to memory of 1176	2056	cmd.exe	36
PID 2716 wrote to memory of 2888	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	37
PID 2716 wrote to memory of 2888	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	37
PID 2716 wrote to memory of 2888	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	37
PID 2716 wrote to memory of 2888	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	37
PID 2716 wrote to memory of 1960	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	39
PID 2716 wrote to memory of 1960	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	39
PID 2716 wrote to memory of 1960	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	39
PID 2716 wrote to memory of 1960	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	39
PID 2716 wrote to memory of 1492	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	41
PID 2716 wrote to memory of 1492	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	41
PID 2716 wrote to memory of 1492	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	41
PID 2716 wrote to memory of 1492	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	41
PID 2888 wrote to memory of 1288	2888	cmd.exe	139
PID 2888 wrote to memory of 1288	2888	cmd.exe	139
PID 2888 wrote to memory of 1288	2888	cmd.exe	139
PID 2888 wrote to memory of 1288	2888	cmd.exe	139
PID 1752 wrote to memory of 1660	1752	cmd.exe	43
PID 1752 wrote to memory of 1660	1752	cmd.exe	43
PID 1752 wrote to memory of 1660	1752	cmd.exe	43
PID 1752 wrote to memory of 1660	1752	cmd.exe	43
PID 2716 wrote to memory of 1436	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	45
PID 2716 wrote to memory of 1436	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	45
PID 2716 wrote to memory of 1436	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	45
PID 2716 wrote to memory of 1436	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	45
PID 2716 wrote to memory of 2476	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	47
PID 2716 wrote to memory of 2476	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	47
PID 2716 wrote to memory of 2476	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	47
PID 2716 wrote to memory of 2476	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	47
PID 1960 wrote to memory of 288	1960	cmd.exe	49
PID 1960 wrote to memory of 288	1960	cmd.exe	49
PID 1960 wrote to memory of 288	1960	cmd.exe	49
PID 1960 wrote to memory of 288	1960	cmd.exe	49
PID 2716 wrote to memory of 2496	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	50
PID 2716 wrote to memory of 2496	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	50
PID 2716 wrote to memory of 2496	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	50
PID 2716 wrote to memory of 2496	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	50
PID 1492 wrote to memory of 684	1492	cmd.exe	51
PID 1492 wrote to memory of 684	1492	cmd.exe	51
PID 1492 wrote to memory of 684	1492	cmd.exe	51
PID 1492 wrote to memory of 684	1492	cmd.exe	51
PID 2716 wrote to memory of 1944	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	53
PID 2716 wrote to memory of 1944	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	53
PID 2716 wrote to memory of 1944	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	53
PID 2716 wrote to memory of 1944	2716	2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe	53
PID 1436 wrote to memory of 708	1436	cmd.exe	55
PID 1436 wrote to memory of 708	1436	cmd.exe	55
PID 1436 wrote to memory of 708	1436	cmd.exe	55
PID 1436 wrote to memory of 708	1436	cmd.exe	55
PID 2476 wrote to memory of 3032	2476	cmd.exe	141
PID 2476 wrote to memory of 3032	2476	cmd.exe	141
PID 2476 wrote to memory of 3032	2476	cmd.exe	141
PID 2476 wrote to memory of 3032	2476	cmd.exe	141

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:912
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:580
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1904
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1088
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1448
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:1016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-75412982311175910621165822548-151189546-23219262510458939421449038165217920724"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "68361086677487751473527684-1432497034848704392-17793543577429711911144332065"
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
a2055997c8035d5ddedcc5e320a71aa9

SHA1
3749338fe70104e808c368ff4375e8a763d91034

SHA256
b4513c07ca8c741c7128f273654afae79ead9420a17a624c9c0f375bea133618

SHA512
d3624f8ca4080ed87252a5260514e27d399cf3338cfdb6e6b9b7cd86e781bd47afe9df8e96263a74ae98de6562d863c00dce6367634787050f21af4e103b7334

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
a89360e9c1df150b4efda249a35cf02c

SHA1
1214f9b3d53f7b124c0b8dc56475551662ab71c1

SHA256
812bf5a1210527f387daf51693a5f5ebe6fe7004f4ff1e3865232ccdff0dba0b

SHA512
f3a6f04ec6f12318d4c8709112ff708216797ba1e6291c3d83c85bcf809fea58077a5ba7851f6175cb65df4ccbec5a617584ccc9c21a1b32b4e40d29e28764aa

Download Submit
memory/2716-0-0x0000000000100000-0x000000000010B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads