cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1565s
max time network
1566s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Size

84KB
MD5

420b2f010edbc63a68b2cce2cdf1e5e9
SHA1

4cf5072cfe0eb42d387713067e2706902c89b294
SHA256

8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
SHA512

de85edb0217c3d1e615e81154831fe0f3f7c7514f843f253eecf38da09895558b4dc71c1e4141dd196bda7aa75d2c14c85658355a834f98238370df0bea46f35
SSDEEP

1536:cYYxci1ZP39zud52ilpPXvlMq12Kpuyjg1kF3mI:+xFyd52ilpPX6q2y8kF3j

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> NOT YOUR LANGUAGE? USE <a href="https://translate.google.com">https://translate.google.com</a> What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email if we do not respond within 24 hours: E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe\""	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe\""	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_fc4a0f8c1c9b74ea.exe\""	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_fc4a0f8c1c9b74ea.exe\""	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\T:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\V:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\X:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\H:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\M:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\P:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\R:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\Z:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\W:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\G:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\L:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\Q:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\U:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\N:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\O:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\Y:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\A:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\I:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\J:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\K:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\B:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened (read-only)	\??\E:	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1780	vssadmin.exe
2916	vssadmin.exe
2964	vssadmin.exe
2788	vssadmin.exe
2740	vssadmin.exe
2604	vssadmin.exe
1596	vssadmin.exe
2624	vssadmin.exe
1008	vssadmin.exe
1440	vssadmin.exe
3000	vssadmin.exe
1656	vssadmin.exe
872	vssadmin.exe
2060	vssadmin.exe
2528	vssadmin.exe
2960	vssadmin.exe
1260	vssadmin.exe
3052	vssadmin.exe
2816	vssadmin.exe
2892	vssadmin.exe
2044	vssadmin.exe
2308	vssadmin.exe
988	vssadmin.exe
1188	vssadmin.exe
564	vssadmin.exe
2304	vssadmin.exe
488	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04abff00934db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000009d033757768dfed6ccd8ede55a5e0ff272bf1e611bbbf4df52b9740ed115daba000000000e8000000002000020000000f355bc2cabb56198b427f2ceb1499b89e39a70ed0a145be453dabd2727e5afac900000001f5b06726b7e25fb907f97d5a0491b1fbf2c418448eb717fa9b852be69ada6bb12c2ecb4e41e6a8c73e1c7ccfba35d5a63beb79339350a9a64151d56b1aa60fb1ef61242daedc1438ab993e37355b4327b0eb3db9da946bee49f792e2c07e2af6ff122da37d25fa1c99fd8b9240103000b39c5282460e7cd4b8784ebe93a5b4edab9eead3e5eb3433fac39016eede8e04000000090398193d4f98c699e52add8176d6a09ddb45369581f5ec77b703af0cdabe7004faf2ebf0c0010e67ba305c8ba4e9b6331907ba2964518102ea363d6dce09aa1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000000195b9128d2bf26e76a7b0869722b97dd5e82f56bb30de529053a9f1e0db4c29000000000e8000000002000020000000e3e8dfa456ee9bf294534df72af0c9394d030e014263024e9edd5f83d3e6ac9520000000b8fb02223031a189f1538ea0e483e78bc1c54b08a431ef1c23e60a1c8c0581ba40000000402b40947f760475c10e7e8cf58d98171d3299708d3d08b1979467d18067e9d0cb2449d0e552547341a1febce6f7c898813947b10c2c0fa52262f56255aad5d7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C398281-9FFD-11EF-B7A5-FED808322145} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471360"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1840	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe
Token: SeSecurityPrivilege	2192	WMIC.exe
Token: SeTakeOwnershipPrivilege	2192	WMIC.exe
Token: SeLoadDriverPrivilege	2192	WMIC.exe
Token: SeSystemProfilePrivilege	2192	WMIC.exe
Token: SeSystemtimePrivilege	2192	WMIC.exe
Token: SeProfSingleProcessPrivilege	2192	WMIC.exe
Token: SeIncBasePriorityPrivilege	2192	WMIC.exe
Token: SeCreatePagefilePrivilege	2192	WMIC.exe
Token: SeBackupPrivilege	2192	WMIC.exe
Token: SeRestorePrivilege	2192	WMIC.exe
Token: SeShutdownPrivilege	2192	WMIC.exe
Token: SeDebugPrivilege	2192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2192	WMIC.exe
Token: SeRemoteShutdownPrivilege	2192	WMIC.exe
Token: SeUndockPrivilege	2192	WMIC.exe
Token: SeManageVolumePrivilege	2192	WMIC.exe
Token: 33	2192	WMIC.exe
Token: 34	2192	WMIC.exe
Token: 35	2192	WMIC.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe
Token: SeSecurityPrivilege	2192	WMIC.exe
Token: SeTakeOwnershipPrivilege	2192	WMIC.exe
Token: SeLoadDriverPrivilege	2192	WMIC.exe
Token: SeSystemProfilePrivilege	2192	WMIC.exe
Token: SeSystemtimePrivilege	2192	WMIC.exe
Token: SeProfSingleProcessPrivilege	2192	WMIC.exe
Token: SeIncBasePriorityPrivilege	2192	WMIC.exe
Token: SeCreatePagefilePrivilege	2192	WMIC.exe
Token: SeBackupPrivilege	2192	WMIC.exe
Token: SeRestorePrivilege	2192	WMIC.exe
Token: SeShutdownPrivilege	2192	WMIC.exe
Token: SeDebugPrivilege	2192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2192	WMIC.exe
Token: SeRemoteShutdownPrivilege	2192	WMIC.exe
Token: SeUndockPrivilege	2192	WMIC.exe
Token: SeManageVolumePrivilege	2192	WMIC.exe
Token: 33	2192	WMIC.exe
Token: 34	2192	WMIC.exe
Token: 35	2192	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
868	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
868	iexplore.exe
868	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 892	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	123
PID 1988 wrote to memory of 892	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	123
PID 1988 wrote to memory of 892	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	123
PID 1988 wrote to memory of 892	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	123
PID 1988 wrote to memory of 1208	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	35
PID 1988 wrote to memory of 1208	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	35
PID 1988 wrote to memory of 1208	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	35
PID 1988 wrote to memory of 1208	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	35
PID 1988 wrote to memory of 1740	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	36
PID 1988 wrote to memory of 1740	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	36
PID 1988 wrote to memory of 1740	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	36
PID 1988 wrote to memory of 1740	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	36
PID 892 wrote to memory of 488	892	cmd.exe	38
PID 892 wrote to memory of 488	892	cmd.exe	38
PID 892 wrote to memory of 488	892	cmd.exe	38
PID 892 wrote to memory of 488	892	cmd.exe	38
PID 1988 wrote to memory of 1684	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	40
PID 1988 wrote to memory of 1684	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	40
PID 1988 wrote to memory of 1684	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	40
PID 1988 wrote to memory of 1684	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	40
PID 1988 wrote to memory of 2528	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	118
PID 1988 wrote to memory of 2528	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	118
PID 1988 wrote to memory of 2528	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	118
PID 1988 wrote to memory of 2528	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	118
PID 1740 wrote to memory of 3052	1740	cmd.exe	42
PID 1740 wrote to memory of 3052	1740	cmd.exe	42
PID 1740 wrote to memory of 3052	1740	cmd.exe	42
PID 1740 wrote to memory of 3052	1740	cmd.exe	42
PID 1208 wrote to memory of 2192	1208	cmd.exe	44
PID 1208 wrote to memory of 2192	1208	cmd.exe	44
PID 1208 wrote to memory of 2192	1208	cmd.exe	44
PID 1208 wrote to memory of 2192	1208	cmd.exe	44
PID 1988 wrote to memory of 2412	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	46
PID 1988 wrote to memory of 2412	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	46
PID 1988 wrote to memory of 2412	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	46
PID 1988 wrote to memory of 2412	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	46
PID 1684 wrote to memory of 564	1684	cmd.exe	47
PID 1684 wrote to memory of 564	1684	cmd.exe	47
PID 1684 wrote to memory of 564	1684	cmd.exe	47
PID 1684 wrote to memory of 564	1684	cmd.exe	47
PID 1988 wrote to memory of 2124	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	49
PID 1988 wrote to memory of 2124	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	49
PID 1988 wrote to memory of 2124	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	49
PID 1988 wrote to memory of 2124	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	49
PID 1988 wrote to memory of 2008	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	51
PID 1988 wrote to memory of 2008	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	51
PID 1988 wrote to memory of 2008	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	51
PID 1988 wrote to memory of 2008	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	51
PID 1988 wrote to memory of 2516	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	54
PID 1988 wrote to memory of 2516	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	54
PID 1988 wrote to memory of 2516	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	54
PID 1988 wrote to memory of 2516	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	54
PID 1988 wrote to memory of 1900	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	55
PID 1988 wrote to memory of 1900	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	55
PID 1988 wrote to memory of 1900	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	55
PID 1988 wrote to memory of 1900	1988	2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe	55
PID 2528 wrote to memory of 2788	2528	cmd.exe	59
PID 2528 wrote to memory of 2788	2528	cmd.exe	59
PID 2528 wrote to memory of 2788	2528	cmd.exe	59
PID 2528 wrote to memory of 2788	2528	cmd.exe	59
PID 2412 wrote to memory of 2740	2412	cmd.exe	113
PID 2412 wrote to memory of 2740	2412	cmd.exe	113
PID 2412 wrote to memory of 2740	2412	cmd.exe	113
PID 2412 wrote to memory of 2740	2412	cmd.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
"C:\Users\Admin\AppData\Local\Temp\2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:868
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1584
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:1840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
57822a64d552903475a93bfe2ec0dd52

SHA1
c8e9aa9103ce46820574517cf76f4a4712d833b1

SHA256
d6309e4da77dca5a4212383d7ef27cece1b5f936be48e834712aa53dab7f3067

SHA512
b7ce999a200c676ac2b7115196b55ca639bf60807bfa833f46e93532ff8c5b06e9d02f4d7bb46928e7c0777654ae7240b7ea8e2722988eb013d74feeeead3ff0

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
f1260e187efc0ff1e634108fd655b3dc

SHA1
4d30288454d454c9b394d564ba115e73cf1675be

SHA256
3a996edb8c99a4242270f807133cd82ce9d220461354825c2ba60c1e2d39e0e0

SHA512
9e30c6f14c5d8f53f1fed9b7415ee36ec4a60730c9c1beadd4e4ed062197c2b1915a27429dc6e5234a6d22fb55b25508f40ea718ad01de4969cdfb5409432029

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
972f9c7ca92bdd403211c676f58ec04e

SHA1
5c55e21f43c2679723a8f12ccb62513d0de8e65c

SHA256
4cf3e907cfd20fa534421e0dc3ae894d24cae11051fe4281b9696bb91af00e58

SHA512
6d04a6b40a2d39a864200eb5a60813de0e11fb9aadbeecfbbbf98181fe5e7dc686d347f77e5464b9ead7b8f023431b59e2b5ed52b635ea66014241f1178a7170

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
9cadcd15547a6674f1db5ac35b2ecdff

SHA1
49d44712915305f6f2dad1deaae97e8acc9e612c

SHA256
ecbd9b06e7d1c5196e3c1f1626d0b4ffc77bf7b6eedec09169891fde95c830e6

SHA512
7d57717cced64942a5ab7e33295a515688621b682b6ee15abb2f26aa2596aaf0f11ee487d58d64b86a4c4b6d16cd099dc88ab2e9edd49145f78d144d12072d00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60b59902ece89a435dd5cbf4bdf84a2e

SHA1
40909255b367062103c1f2ceeb641bbb3e24aadc

SHA256
d75a51f1f4d62f5757cc93f35be345ee9bbb607b3f54f82ab850788c0087099a

SHA512
fa844cf1aabe9f84bfb30b2021534dc50219693a3d467ee4a2d71cfa0d3236b1d075383d1dd1c702b8c2136c42411da8a257b1c965958752ff1449415a9ab402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e60b565840e1dbb391b17f0e7a526c7

SHA1
7550980e277adff399af35b54138713f3c20a79f

SHA256
1c56395649e54b15c32336e3b54db4deadd6a233648f40326a47054cd594a4f1

SHA512
12e89fb93986108a3e097cf3c77821b24951edb4b80092decf74866b54130a8bb409e9547b0f9d14fe72c28a37ef55f3095983950c29cac683e1edf54758843b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5af435b1133143f749ca295e5790d999

SHA1
bfcb352eb8fa3cd97d8e01f87779ff574e9488d4

SHA256
e12449f3710515b1d48a6335c86fef7796341fbecb9675b5e3e32a13a07035f3

SHA512
86efa0b3eb096eb63b2c509474d22e27f3254e389366e2d57eccb4d25ebf1f5727651c9dc81e0a986c28452730561dc2ffa830584e3feb26679b56b5700f5708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
083811ae4de1e91c207c5dc80bc2f235

SHA1
046154622f6205a8105b140beb71de9fc3e960fc

SHA256
21ca9c64f8b3a78f6505a7cbe6616f1489b714089ac04e813e11edda88e5658e

SHA512
4f5f463082481bbc41401a2149fa8736fec39f380f028008292136747c9fd38a4856f072ecd96cdad44679be44e460c9f1d3e4c0d84ebef0ebeab829706df81a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5905f7b27bb7509ee2e7fde3a579ed3

SHA1
c1eb035a5470e877c608a7a3a5c1846514587656

SHA256
1462e7ba1e8485c4e37eab7f3eb4e7d9f827a7dec7e774b038c2ccd10629b94b

SHA512
01876a000317cc41ee18c5a06d80525f0c387b4e2605aac549d1228fc86bf61b15d50a5418f73f005e63b0bc11de05f6d2e466ed057edca07fa69da950e48696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50c1f9476d6db85ea8bd8c6f17469199

SHA1
09b203e414abb29289bf7f2b5fe23ce81541669d

SHA256
df3a3fdd2b1cbdc742c62f3b0bef6216559985908e24738a38e79a523d4bb6ab

SHA512
eacaef51ecda6644b4089a4b361ec337fa7de2142402657d8969b21b370435a85e24dc1e0ef74eb667c30e9af14eb69dee58dc8e863e10555ab2d76be1439896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b22e3e5abf51cd7743447ea057496005

SHA1
b085dfa24248ad3af7da0a0c6b42fc9c10a2292d

SHA256
e62ea02f36a453da74747d64de79bbf11c86e1fd6753be5be4fe50171f5e7a53

SHA512
6670c0df6a1128a01872924150596e7800352c1daaba79595f18994c5ae21718cc92f519d79fc683f63d18d4d809304fa832d2c98dd3fc65a6b0d31802547530

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f52f7ed0bc9be13f1e2aeb75e768979

SHA1
18e96ba9cc2d7ec148e8e7f83326cfc7d8d72ef7

SHA256
8f443dbea911b1859dbe6446251c0149769a4c2ce2f72275139c26c0d77718c4

SHA512
20b74ad8f217e6af26979e4938fc21ee86dc9165591c2889a9b6e17c16335ae8559f6542a063c67dd1e392785659631bffe7c6b20c01284c4b93b35d7639c637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba9ab9f4e4caa4c77170396c16395af0

SHA1
14e16fc5bb8d7207a641edd63cf16178154ca60f

SHA256
1995d81e752f821ce18458bce170bbe2e3c49e9975d011a3f68b9cae62045925

SHA512
8c3148a5d9700152a7694753043023217a2a26269741e97face7d7b34a99139cd6d7a4ec1beb5bbd6885cf361dd02c2c339a97bcbc3c0771df22d9bed29cc63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69657e9bc5796e53442ef6ef55e1afb9

SHA1
844e0d7a5d76ec74c542833f9408751e9236d972

SHA256
b00ee76ee84e2d56ced72de28cdffa3ac9cce61b5528b7f12f20303f5eab28dc

SHA512
e1dc57bdaddfcbeb5825b9f6ec6fd77ff74a30f97cc6e7daf229794e101c71b99092004fed6602b1609f15d291b0863f92cf2c724044a9e9071de6f6306a36cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a0b91719fcb3ced4bf0c2f7e9b741ae

SHA1
642ef8df6df124a3278ffab3ddb3a43f1b18b1a4

SHA256
dd61dfe657239a684210c178c9479838d0f2ca382ccb2dcdb4bfa0cf26c1a1d2

SHA512
75a686e08d3f765b623bda324ca5334af4819f553c2badc5331f9017b7d3d644ef04cf4849b9e4ffaafab13a5d377c504dca01e9eec46c0a7535f8b74898c29d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf084b98b00ee92911feb633998611e3

SHA1
4e6281002dc9c3ef9c2f617b40bb8e0bf7f863c1

SHA256
b6c16c0bc3a24a34c67d2c9d9990338c45f00f4dc71b15d0663f2571dec429cb

SHA512
aea3724adbc1462f9eeefee1d8440b972615758665d24060e15ce9f16acdf4c5fa76371c5d4ce774ee4654e7c1114f2e9dd7f5e22823eda8addf871879bfad06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd3b6a170329c3df8400d24aea5805d2

SHA1
3c60852cef8f351e882b3279af3df50cfbd9e8fc

SHA256
e600fbc953ab93275b1d3c42ae522442fb03a49b3767afc7351f73924df007eb

SHA512
00e6240deb5e44b6eb66e8e5219e1d08a2ac48bebf0902b8d10f288535844c266c07fe6f7acb43f24bbbd33e7cc079258611e68d93ce1bb0d6d8d241e25fdaa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f490e0b61f9b8d6bab933a088c914f

SHA1
0f80a49247294e8fb69f8ef2a227158c6040586f

SHA256
0505d022ff5a7ac418702dd65670c6185ee8891b9b4feee6d1eeaec57ec0bc9d

SHA512
d9e9eb2671f0493f80bb4ad6545f941714224fe8a9013c65f714202bd746c4dbbe7b381ae47bd9fbd87c57f2f861a7cf22a62eac00192d49054742d88d0d0b7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fcb332ebe069e0fbdcc153d4da5ea1e

SHA1
64d7b540a5f2271f18ab2861776d92071ac4ee24

SHA256
055a4af864395d8d64a9fe0e213ab9a2ddaf64fdf81a8a4054af2db0903bf887

SHA512
94897c6775a934b1cc876e37f272231d60b140bc356d7307a3c0632c0bb67981e2a41d7a28246f30369e05fe79dd433f7baa59bfabdb63d90cf73ed3e7c4b13b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8328d7ff73d2ce1ba1598b1c9479a2c

SHA1
5b506ef01773dcce3f8d63d3b70d70792fde85e5

SHA256
cb19af4c936e66ad269f97d7127aeab6b114dd4993cc88e485318ed724b4a9f3

SHA512
22244b85c77d05e6fcbcb939af7d20b4a1039c99cdb581602ffbafe0320ce2218d4596cb11d73358b6ec4899ac9ddb42fc43ac7fec0640a5e1271b9bbe00a58d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66bd55e4eddcd31c1202994af7bf0b4b

SHA1
7907ccc8540ab21505df4031f534e15507969ff7

SHA256
49a833ed63bf84168b264b0d98582cb060c09b1ec9d291ce9b0e1cd019bb592e

SHA512
b62ac5fe33f6848085da38504a4064f1b52ed21a0bc027d54736a8b681a5c6c7a602b1324163d7914c6c504fbc801cc564eaf406fb2bf92676c944141151050e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e277617161be10d6c21db2a0ad449d83

SHA1
3e3c2eb59971d5f44000e688eeebaf530c830aba

SHA256
3e1d57f1ad659e02c92c1d8a334a0f8d198cf40498eea17287681c891216eaed

SHA512
75f514d5612186ea82c9c3ac82c0f7d8843467a8a2ed36cb1ab69f8e709015805b3bf0a9fd970e42e9db9da3aa58839d4693ddf89818e6b7e985f69e7155a348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8650a07c1e413eb5a1628982819069af

SHA1
d4fd60189f30097b013ef902370ea820df8997f0

SHA256
0ae46c7eaa70fb26cfe5b7e619f547f738b73c07b1ebcab5a413975c9fa992e7

SHA512
1ada62a17151dea0a236d8336e40d5b160e7748b174f7ee27afe626ee2a1691825761160f9ad7892f4a476b6b0a8ba67769095d0a40afe837cc6cae41994b832

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ad8eec256df8302c70351ffe2cb90a

SHA1
3e2d1b123272a48d97665d00dc23437651fd71f8

SHA256
cea69885279c415af574276c6589941e5a9d9a2804ea213f7d6272c57cad8435

SHA512
823fc2019d3af69299381e50e674431f0db8eb5ff2a7711c62e42a734618862c8e135f67ba1133b4ce90d69fc214e745b48603982ad702e8922ac080f66ff60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE2A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE6B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1988-0-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads