cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Size

79KB
MD5

eb2972b9ac8a5db042cbadce971f64de
SHA1

40e03dde3562e379fa1be28f45eb36107c37c0de
SHA256

4b447266bd7a130c5b27c9ec4bd68a9ebf731a4ce0300702f41b37da1d6384ef
SHA512

10cdec84cd819270b57e37d730efe6fcd615adf744b54c0e9bf075fdf29067b4408748cb069750bb2067c1c569a1ff39c38f20f183a44c28e2c8e03d780e15ad
SSDEEP

1536:sRu6a2/bEPH2dFzd5Bsnu7jjd405wfGtu76KvJ:sRvdFR5Bsnu7jjKcYQY6KvJ

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\Admin\# HELP_DECRYPT_YOUR_FILES #.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private SoftWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 1c9b74eade2b146b

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\# HELP_DECRYPT_YOUR_FILES #.TXT

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPlugins = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe\""	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*FlashPlayersPlugin = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe\""	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayarPlugins = "\"C:\\ProgramData\\FlashPlayerPlugin_1c9b74ea_de2b146b.exe\""	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*FleshPlayarPlugins = "\"C:\\ProgramData\\FlashPlayerPlugin_1c9b74ea_de2b146b.exe\""	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe

description	ioc	Process
File opened (read-only)	\??\H:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\N:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\G:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\L:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\E:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\R:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.execmd.execmd.exevssadmin.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.execmd.execmd.execmd.execmd.exevssadmin.execmd.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exe2016-11-16-4th-run-Rig-standard-payload-CryptFile2.execmd.exevssadmin.execmd.exevssadmin.execmd.execmd.exevssadmin.execmd.execmd.exenet.execmd.exevssadmin.execmd.execmd.execmd.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.execmd.execmd.execmd.exeNOTEPAD.EXEvssadmin.execmd.exevssadmin.exevssadmin.exenet1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
2672	vssadmin.exe
1872	vssadmin.exe
2584	vssadmin.exe
1484	vssadmin.exe
2828	vssadmin.exe
2308	vssadmin.exe
112	vssadmin.exe
1692	vssadmin.exe
3100	vssadmin.exe
2008	vssadmin.exe
1448	vssadmin.exe
2016	vssadmin.exe
628	vssadmin.exe
2644	vssadmin.exe
568	vssadmin.exe
2088	vssadmin.exe
608	vssadmin.exe
3092	vssadmin.exe
2804	vssadmin.exe
3000	vssadmin.exe
836	vssadmin.exe
2712	vssadmin.exe
848	vssadmin.exe
2000	vssadmin.exe
2752	vssadmin.exe
2184	vssadmin.exe
2788	vssadmin.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

WMIC.exevssvc.exevssvc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe
Token: 35	2848	WMIC.exe
Token: SeBackupPrivilege	1936	vssvc.exe
Token: SeRestorePrivilege	1936	vssvc.exe
Token: SeAuditPrivilege	1936	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe
Token: 35	2848	WMIC.exe
Token: SeBackupPrivilege	920	vssvc.exe
Token: SeRestorePrivilege	920	vssvc.exe
Token: SeAuditPrivilege	920	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2016-11-16-4th-run-Rig-standard-payload-CryptFile2.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1708 wrote to memory of 2424	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	33
PID 1708 wrote to memory of 2424	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	33
PID 1708 wrote to memory of 2424	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	33
PID 1708 wrote to memory of 2424	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	33
PID 1708 wrote to memory of 1824	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	35
PID 1708 wrote to memory of 1824	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	35
PID 1708 wrote to memory of 1824	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	35
PID 1708 wrote to memory of 1824	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	35
PID 1708 wrote to memory of 1604	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	37
PID 1708 wrote to memory of 1604	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	37
PID 1708 wrote to memory of 1604	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	37
PID 1708 wrote to memory of 1604	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	37
PID 1708 wrote to memory of 2684	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	39
PID 1708 wrote to memory of 2684	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	39
PID 1708 wrote to memory of 2684	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	39
PID 1708 wrote to memory of 2684	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	39
PID 1708 wrote to memory of 2792	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	41
PID 1708 wrote to memory of 2792	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	41
PID 1708 wrote to memory of 2792	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	41
PID 1708 wrote to memory of 2792	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	41
PID 2424 wrote to memory of 2804	2424	cmd.exe	42
PID 2424 wrote to memory of 2804	2424	cmd.exe	42
PID 2424 wrote to memory of 2804	2424	cmd.exe	42
PID 2424 wrote to memory of 2804	2424	cmd.exe	42
PID 1824 wrote to memory of 2848	1824	cmd.exe	44
PID 1824 wrote to memory of 2848	1824	cmd.exe	44
PID 1824 wrote to memory of 2848	1824	cmd.exe	44
PID 1824 wrote to memory of 2848	1824	cmd.exe	44
PID 1604 wrote to memory of 2752	1604	cmd.exe	45
PID 1604 wrote to memory of 2752	1604	cmd.exe	45
PID 1604 wrote to memory of 2752	1604	cmd.exe	45
PID 1604 wrote to memory of 2752	1604	cmd.exe	45
PID 1708 wrote to memory of 2192	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	46
PID 1708 wrote to memory of 2192	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	46
PID 1708 wrote to memory of 2192	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	46
PID 1708 wrote to memory of 2192	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	46
PID 2684 wrote to memory of 2828	2684	cmd.exe	47
PID 2684 wrote to memory of 2828	2684	cmd.exe	47
PID 2684 wrote to memory of 2828	2684	cmd.exe	47
PID 2684 wrote to memory of 2828	2684	cmd.exe	47
PID 1708 wrote to memory of 2780	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	48
PID 1708 wrote to memory of 2780	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	48
PID 1708 wrote to memory of 2780	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	48
PID 1708 wrote to memory of 2780	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	48
PID 2792 wrote to memory of 3000	2792	cmd.exe	50
PID 2792 wrote to memory of 3000	2792	cmd.exe	50
PID 2792 wrote to memory of 3000	2792	cmd.exe	50
PID 2792 wrote to memory of 3000	2792	cmd.exe	50
PID 1708 wrote to memory of 2816	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	52
PID 1708 wrote to memory of 2816	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	52
PID 1708 wrote to memory of 2816	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	52
PID 1708 wrote to memory of 2816	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	52
PID 1708 wrote to memory of 2924	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	53
PID 1708 wrote to memory of 2924	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	53
PID 1708 wrote to memory of 2924	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	53
PID 1708 wrote to memory of 2924	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	53
PID 1708 wrote to memory of 2764	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	56
PID 1708 wrote to memory of 2764	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	56
PID 1708 wrote to memory of 2764	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	56
PID 1708 wrote to memory of 2764	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	56
PID 1708 wrote to memory of 2664	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	59
PID 1708 wrote to memory of 2664	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	59
PID 1708 wrote to memory of 2664	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	59
PID 1708 wrote to memory of 2664	1708	2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:668
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:3176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:3108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  PID:3364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  PID:3420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\# HELP_DECRYPT_YOUR_FILES #.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\# HELP_DECRYPT_YOUR_FILES #.TXT

Filesize
3KB

MD5
ac8d86831e37b01871264094cb89bb22

SHA1
bc8a034753e7b738eb1eb6c74304a64bf7970010

SHA256
aa036d9f9d8aa4329d8815b78ecae49893a7fe1f064fbd6b1a42115db6dab5e8

SHA512
0e998581d36db1217908e16fe08d529365117a17efadbb892d2ddf8cb0b50e519bf849224cb50a66011c68813a4660d17aff52dbaba8deb6e2489f8258838594

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB398.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\Desktop\# HELP_DECRYPT_YOUR_FILES #.TXT

Filesize
3KB

MD5
d7009ba025c96b2a98f578f54894063a

SHA1
7c0044d11276410d362ccd58158e3ca7376dbda3

SHA256
efc5834ae9a7350f12c3c4d9c00eaf9c934e4bfb3a9b28091e9b39988c558605

SHA512
a09981914f8370de3685bf7005631780b809e2db5abdecee1ace156c5fa6719c71600f63c6f81099678a30054710cc8d9c3bfa90cd38149f7318dd5c950664ec

Download Submit
memory/1708-0-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/1708-272-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/1708-276-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download