cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1562s
max time network
1563s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Size

81KB
MD5

03efa23cb13898fdfda7821ea7dc5e10
SHA1

e25e2f68f0c159378f133d0e161a980d7f148a91
SHA256

f2dbf29985a759e73c6a515422e218e6b0a1a844a327917428a1f9a1248f2320
SHA512

eb7afaac956b2781c4551cec46c97c4b9dee08b29844f9551ad8ff7fe766f48a9897288a3f8f514789f4f3dabc4d00ec2284c5602b4b253ca7cfc8ac393280c5
SSDEEP

1536:WqcJ/2POlymkGECwdqnUzyQon3f+RltHWSqTWfY:WPynRDcnUzyfn3WRltH7XfY

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\# HELP_DECRYPT_YOUR_FILES #.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private SoftWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 1c9b74ea5adee9c3

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*FleshPlayarPlugins = "\"C:\\ProgramData\\FlashPlayerPlugin_1c9b74ea_5adee9c3.exe\""	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPlugins = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe\""	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*FlashPlayersPlugin = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe\""	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayarPlugins = "\"C:\\ProgramData\\FlashPlayerPlugin_1c9b74ea_5adee9c3.exe\""	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe

description	ioc	Process
File opened (read-only)	\??\N:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\E:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\G:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\H:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\L:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\R:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.execmd.exevssadmin.execmd.execmd.execmd.execmd.exeWMIC.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.execmd.execmd.execmd.exenet1.exevssadmin.execmd.execmd.execmd.exeNOTEPAD.EXEvssadmin.exevssadmin.execmd.execmd.exevssadmin.execmd.exevssadmin.exe2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exevssadmin.exevssadmin.execmd.exevssadmin.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
1716	vssadmin.exe
992	vssadmin.exe
2820	vssadmin.exe
2168	vssadmin.exe
2000	vssadmin.exe
920	vssadmin.exe
2900	vssadmin.exe
264	vssadmin.exe
1072	vssadmin.exe
2596	vssadmin.exe
2888	vssadmin.exe
2044	vssadmin.exe
2696	vssadmin.exe
1896	vssadmin.exe
3004	vssadmin.exe
2712	vssadmin.exe
2960	vssadmin.exe
572	vssadmin.exe
2920	vssadmin.exe
648	vssadmin.exe
2668	vssadmin.exe
2584	vssadmin.exe
2204	vssadmin.exe
2840	vssadmin.exe
3064	vssadmin.exe
1420	vssadmin.exe
2732	vssadmin.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2328 wrote to memory of 2128	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	33
PID 2328 wrote to memory of 2128	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	33
PID 2328 wrote to memory of 2128	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	33
PID 2328 wrote to memory of 2128	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	33
PID 2328 wrote to memory of 2788	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	35
PID 2328 wrote to memory of 2788	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	35
PID 2328 wrote to memory of 2788	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	35
PID 2328 wrote to memory of 2788	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	35
PID 2328 wrote to memory of 2780	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	37
PID 2328 wrote to memory of 2780	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	37
PID 2328 wrote to memory of 2780	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	37
PID 2328 wrote to memory of 2780	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	37
PID 2328 wrote to memory of 2776	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	39
PID 2328 wrote to memory of 2776	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	39
PID 2328 wrote to memory of 2776	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	39
PID 2328 wrote to memory of 2776	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	39
PID 2328 wrote to memory of 2360	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	42
PID 2328 wrote to memory of 2360	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	42
PID 2328 wrote to memory of 2360	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	42
PID 2328 wrote to memory of 2360	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	42
PID 2128 wrote to memory of 2820	2128	cmd.exe	41
PID 2128 wrote to memory of 2820	2128	cmd.exe	41
PID 2128 wrote to memory of 2820	2128	cmd.exe	41
PID 2128 wrote to memory of 2820	2128	cmd.exe	41
PID 2328 wrote to memory of 2560	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	44
PID 2328 wrote to memory of 2560	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	44
PID 2328 wrote to memory of 2560	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	44
PID 2328 wrote to memory of 2560	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	44
PID 2780 wrote to memory of 2712	2780	cmd.exe	46
PID 2780 wrote to memory of 2712	2780	cmd.exe	46
PID 2780 wrote to memory of 2712	2780	cmd.exe	46
PID 2780 wrote to memory of 2712	2780	cmd.exe	46
PID 2328 wrote to memory of 2756	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	48
PID 2328 wrote to memory of 2756	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	48
PID 2328 wrote to memory of 2756	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	48
PID 2328 wrote to memory of 2756	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	48
PID 2788 wrote to memory of 2652	2788	cmd.exe	47
PID 2788 wrote to memory of 2652	2788	cmd.exe	47
PID 2788 wrote to memory of 2652	2788	cmd.exe	47
PID 2788 wrote to memory of 2652	2788	cmd.exe	47
PID 2360 wrote to memory of 2584	2360	cmd.exe	49
PID 2360 wrote to memory of 2584	2360	cmd.exe	49
PID 2360 wrote to memory of 2584	2360	cmd.exe	49
PID 2360 wrote to memory of 2584	2360	cmd.exe	49
PID 2328 wrote to memory of 2660	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	51
PID 2328 wrote to memory of 2660	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	51
PID 2328 wrote to memory of 2660	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	51
PID 2328 wrote to memory of 2660	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	51
PID 2776 wrote to memory of 2960	2776	cmd.exe	52
PID 2776 wrote to memory of 2960	2776	cmd.exe	52
PID 2776 wrote to memory of 2960	2776	cmd.exe	52
PID 2776 wrote to memory of 2960	2776	cmd.exe	52
PID 2328 wrote to memory of 2104	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	54
PID 2328 wrote to memory of 2104	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	54
PID 2328 wrote to memory of 2104	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	54
PID 2328 wrote to memory of 2104	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	54
PID 2560 wrote to memory of 1896	2560	cmd.exe	55
PID 2560 wrote to memory of 1896	2560	cmd.exe	55
PID 2560 wrote to memory of 1896	2560	cmd.exe	55
PID 2560 wrote to memory of 1896	2560	cmd.exe	55
PID 2328 wrote to memory of 2980	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	58
PID 2328 wrote to memory of 2980	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	58
PID 2328 wrote to memory of 2980	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	58
PID 2328 wrote to memory of 2980	2328	2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:816
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1564
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  PID:860
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1276
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\# HELP_DECRYPT_YOUR_FILES #.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1141002171-804367865-1621119540-995850945-181243521350109391-861627717241820048"
1⤵
PID:1420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1824016663-45688453615730418001577254917-993746481-1847050642-756327686-1126980511"
1⤵
PID:572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1614457792-124873096810672838421268821827-20449934221340928747214218563192923564"
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\# HELP_DECRYPT_YOUR_FILES #.TXT

Filesize
3KB

MD5
b2a8bb2da134f1c491cef3290bdc5635

SHA1
ab4348bd4462e4926c2782e6468c196b0871d6c6

SHA256
907a4398600a089a8acf748de1b3a0739accde439af3b4eba772eeeb34bd325e

SHA512
d5259ade1f3130224f6ce39636d352b5a8d224288af3ff2f9923ce3b0623dc5f42af66efc8da1e5d8626fd4f5b57f0d6339b029deb324af08385f743963c2f1c

Download Submit
memory/2328-0-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2328-258-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download