cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1563s
max time network
1565s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Size

90KB
MD5

48237318fe0b0c7f472c31141903be8f
SHA1

2e4bc11981a2058285d96454eb14ba335b1afe64
SHA256

c9fa87bd0b0738e3fab364ddcdc11d0d81a74b20b6579d6b77fb72dd223480a2
SHA512

fc3499d844a3c5745f11cb0284326a7421848ea2a2a05fda94b2a49e141abb9b24d1a07f66841182c44d7ad0364ecd4b43414db47e9f0d9d73b6340e3f236b80
SSDEEP

1536:aS8aRYI4QOGvGP3+DP+B5y97JheTsAxp9n8+YFzqfeEcS/R:gjJQPs5yLhmsAEEcSZ

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 1c9b74eab82ca0

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*FleshPlayarPlugins = "\"C:\\ProgramData\\FlashPlayerPlugin_1c9b74ea_b82ca0.exe\""	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPlugins = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*FlashPlayersPlugin = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayarPlugins = "\"C:\\ProgramData\\FlashPlayerPlugin_1c9b74ea_b82ca0.exe\""	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\H:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\L:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\E:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\N:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\G:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1208	vssadmin.exe
1912	vssadmin.exe
1720	vssadmin.exe
3004	vssadmin.exe
2312	vssadmin.exe
324	vssadmin.exe
2408	vssadmin.exe
1736	vssadmin.exe
2676	vssadmin.exe
2964	vssadmin.exe
2476	vssadmin.exe
1072	vssadmin.exe
2412	vssadmin.exe
992	vssadmin.exe
876	vssadmin.exe
928	vssadmin.exe
548	vssadmin.exe
3068	vssadmin.exe
2412	vssadmin.exe
992	vssadmin.exe
2528	vssadmin.exe
1712	vssadmin.exe
2760	vssadmin.exe
2952	vssadmin.exe
1656	vssadmin.exe
2944	vssadmin.exe
1644	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1736	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeBackupPrivilege	1328	vssvc.exe
Token: SeRestorePrivilege	1328	vssvc.exe
Token: SeAuditPrivilege	1328	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1528	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1600 wrote to memory of 1528	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1600 wrote to memory of 1528	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1600 wrote to memory of 1528	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1600 wrote to memory of 936	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1600 wrote to memory of 936	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1600 wrote to memory of 936	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1600 wrote to memory of 936	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1600 wrote to memory of 2428	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 1600 wrote to memory of 2428	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 1600 wrote to memory of 2428	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 1600 wrote to memory of 2428	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 1600 wrote to memory of 1888	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1600 wrote to memory of 1888	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1600 wrote to memory of 1888	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1600 wrote to memory of 1888	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1600 wrote to memory of 1356	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	120
PID 1600 wrote to memory of 1356	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	120
PID 1600 wrote to memory of 1356	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	120
PID 1600 wrote to memory of 1356	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	120
PID 1600 wrote to memory of 1388	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 1600 wrote to memory of 1388	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 1600 wrote to memory of 1388	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 1600 wrote to memory of 1388	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 1528 wrote to memory of 548	1528	cmd.exe	44
PID 1528 wrote to memory of 548	1528	cmd.exe	44
PID 1528 wrote to memory of 548	1528	cmd.exe	44
PID 1528 wrote to memory of 548	1528	cmd.exe	44
PID 1600 wrote to memory of 2568	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1600 wrote to memory of 2568	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1600 wrote to memory of 2568	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1600 wrote to memory of 2568	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 936 wrote to memory of 2144	936	cmd.exe	46
PID 936 wrote to memory of 2144	936	cmd.exe	46
PID 936 wrote to memory of 2144	936	cmd.exe	46
PID 936 wrote to memory of 2144	936	cmd.exe	46
PID 1600 wrote to memory of 2212	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1600 wrote to memory of 2212	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1600 wrote to memory of 2212	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1600 wrote to memory of 2212	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 2428 wrote to memory of 324	2428	cmd.exe	50
PID 2428 wrote to memory of 324	2428	cmd.exe	50
PID 2428 wrote to memory of 324	2428	cmd.exe	50
PID 2428 wrote to memory of 324	2428	cmd.exe	50
PID 1888 wrote to memory of 1072	1888	cmd.exe	51
PID 1888 wrote to memory of 1072	1888	cmd.exe	51
PID 1888 wrote to memory of 1072	1888	cmd.exe	51
PID 1888 wrote to memory of 1072	1888	cmd.exe	51
PID 1600 wrote to memory of 2072	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1600 wrote to memory of 2072	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1600 wrote to memory of 2072	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1600 wrote to memory of 2072	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1600 wrote to memory of 2328	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	126
PID 1600 wrote to memory of 2328	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	126
PID 1600 wrote to memory of 2328	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	126
PID 1600 wrote to memory of 2328	1600	2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe	126
PID 1388 wrote to memory of 876	1388	cmd.exe	56
PID 1388 wrote to memory of 876	1388	cmd.exe	56
PID 1388 wrote to memory of 876	1388	cmd.exe	56
PID 1388 wrote to memory of 876	1388	cmd.exe	56
PID 1356 wrote to memory of 2412	1356	cmd.exe	119
PID 1356 wrote to memory of 2412	1356	cmd.exe	119
PID 1356 wrote to memory of 2412	1356	cmd.exe	119
PID 1356 wrote to memory of 2412	1356	cmd.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:948
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1652
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1452
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:1736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-881984698183512864816605323811302764783-21094452861125512742-786995921-133693187"
1⤵
PID:1356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
5dca5adc4ba0b82db54e39324f379ab2

SHA1
41f5c9804aca45403203621861852b1afa46a826

SHA256
ab19647d32dbcd5bbea1c6ec4a2eb0f7cb7208e4c1a242583f6d4233dde27cba

SHA512
3cf2f6ff9701ba21fe651a961f9c097929e23fe53aa8f86d446a9549752a3e52c8b4c022bd92e306b5e7e8d78c43ef3dbdd25c3835b119f05a80621c9be8e473

Download Submit
C:\Users\Admin\Documents\[email protected]_.rscl

Filesize
12KB

MD5
9c0433fa67b32c9a5f2fce3420f473c1

SHA1
497645f06f1f7bf1e42df272a9a883759febe5ca

SHA256
a9df552f81d49ad7b6c2facd2cf6b4765b9fb4ce05f020d2b9f38b76d234d1f2

SHA512
b0c0b4477f6b905155a3e8bf610a0bd128f2a4ab2a03769397b799fa38e702360d74fd90f2907ac7824930c9b53b5f810b36958616482a21d20b50959330e7fa

Download Submit
memory/1600-0-0x0000000000100000-0x000000000010C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads