Analysis
-
max time kernel
63s -
max time network
67s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17-11-2024 01:54
Behavioral task
behavioral1
Sample
dickd.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
27 signatures
150 seconds
General
-
Target
dickd.exe
-
Size
295KB
-
MD5
765079967592ca7293da5e2b792d3442
-
SHA1
0ca816f83480e9ab4bac02c7af501c7058ddad88
-
SHA256
d65bb45d038c257ccd7cf42aa6179e0b2095e14209101ee2dcaee4f69586a54a
-
SHA512
e2651e113244e73eb84e8606d64803ff464cad9ac921d777f8cebc00d626e170d37f28a1febf55882c6859d893aed99de9e01629fe965b2276cfef07e9f4ade6
-
SSDEEP
6144:8Sr9ScdUdRZek/jzIhnqjE/xgrSzgDQxGsokL:ndUd/V4hnmE/CSIQM6
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\read_it.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/2072-1-0x0000000000860000-0x00000000008B0000-memory.dmp family_chaos behavioral1/files/0x002d0000000450f7-2.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1036 bcdedit.exe 3456 bcdedit.exe -
pid Process 3740 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation dickd.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 1668 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1361837696-2276465416-1936241636-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p5juqp9q7.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1676 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 5060 NOTEPAD.EXE 5752 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1668 svchost.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 2072 dickd.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 3900 WMIC.exe 3900 WMIC.exe 3900 WMIC.exe 3900 WMIC.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeDebugPrivilege 2072 dickd.exe Token: SeDebugPrivilege 1668 svchost.exe Token: SeBackupPrivilege 1288 vssvc.exe Token: SeRestorePrivilege 1288 vssvc.exe Token: SeAuditPrivilege 1288 vssvc.exe Token: SeIncreaseQuotaPrivilege 3900 WMIC.exe Token: SeSecurityPrivilege 3900 WMIC.exe Token: SeTakeOwnershipPrivilege 3900 WMIC.exe Token: SeLoadDriverPrivilege 3900 WMIC.exe Token: SeSystemProfilePrivilege 3900 WMIC.exe Token: SeSystemtimePrivilege 3900 WMIC.exe Token: SeProfSingleProcessPrivilege 3900 WMIC.exe Token: SeIncBasePriorityPrivilege 3900 WMIC.exe Token: SeCreatePagefilePrivilege 3900 WMIC.exe Token: SeBackupPrivilege 3900 WMIC.exe Token: SeRestorePrivilege 3900 WMIC.exe Token: SeShutdownPrivilege 3900 WMIC.exe Token: SeDebugPrivilege 3900 WMIC.exe Token: SeSystemEnvironmentPrivilege 3900 WMIC.exe Token: SeRemoteShutdownPrivilege 3900 WMIC.exe Token: SeUndockPrivilege 3900 WMIC.exe Token: SeManageVolumePrivilege 3900 WMIC.exe Token: 33 3900 WMIC.exe Token: 34 3900 WMIC.exe Token: 35 3900 WMIC.exe Token: 36 3900 WMIC.exe Token: SeIncreaseQuotaPrivilege 3900 WMIC.exe Token: SeSecurityPrivilege 3900 WMIC.exe Token: SeTakeOwnershipPrivilege 3900 WMIC.exe Token: SeLoadDriverPrivilege 3900 WMIC.exe Token: SeSystemProfilePrivilege 3900 WMIC.exe Token: SeSystemtimePrivilege 3900 WMIC.exe Token: SeProfSingleProcessPrivilege 3900 WMIC.exe Token: SeIncBasePriorityPrivilege 3900 WMIC.exe Token: SeCreatePagefilePrivilege 3900 WMIC.exe Token: SeBackupPrivilege 3900 WMIC.exe Token: SeRestorePrivilege 3900 WMIC.exe Token: SeShutdownPrivilege 3900 WMIC.exe Token: SeDebugPrivilege 3900 WMIC.exe Token: SeSystemEnvironmentPrivilege 3900 WMIC.exe Token: SeRemoteShutdownPrivilege 3900 WMIC.exe Token: SeUndockPrivilege 3900 WMIC.exe Token: SeManageVolumePrivilege 3900 WMIC.exe Token: 33 3900 WMIC.exe Token: 34 3900 WMIC.exe Token: 35 3900 WMIC.exe Token: 36 3900 WMIC.exe Token: SeBackupPrivilege 4956 wbengine.exe Token: SeRestorePrivilege 4956 wbengine.exe Token: SeSecurityPrivilege 4956 wbengine.exe Token: SeDebugPrivilege 3164 firefox.exe Token: SeDebugPrivilege 3164 firefox.exe Token: SeDebugPrivilege 5476 taskmgr.exe Token: SeSystemProfilePrivilege 5476 taskmgr.exe Token: SeCreateGlobalPrivilege 5476 taskmgr.exe Token: 33 5476 taskmgr.exe Token: SeIncBasePriorityPrivilege 5476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 3164 firefox.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe 5476 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3164 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 1668 2072 dickd.exe 85 PID 2072 wrote to memory of 1668 2072 dickd.exe 85 PID 1668 wrote to memory of 4896 1668 svchost.exe 89 PID 1668 wrote to memory of 4896 1668 svchost.exe 89 PID 4896 wrote to memory of 1676 4896 cmd.exe 91 PID 4896 wrote to memory of 1676 4896 cmd.exe 91 PID 4896 wrote to memory of 3900 4896 cmd.exe 94 PID 4896 wrote to memory of 3900 4896 cmd.exe 94 PID 1668 wrote to memory of 3172 1668 svchost.exe 95 PID 1668 wrote to memory of 3172 1668 svchost.exe 95 PID 3172 wrote to memory of 1036 3172 cmd.exe 97 PID 3172 wrote to memory of 1036 3172 cmd.exe 97 PID 3172 wrote to memory of 3456 3172 cmd.exe 98 PID 3172 wrote to memory of 3456 3172 cmd.exe 98 PID 1668 wrote to memory of 632 1668 svchost.exe 99 PID 1668 wrote to memory of 632 1668 svchost.exe 99 PID 632 wrote to memory of 3740 632 cmd.exe 101 PID 632 wrote to memory of 3740 632 cmd.exe 101 PID 1668 wrote to memory of 5060 1668 svchost.exe 106 PID 1668 wrote to memory of 5060 1668 svchost.exe 106 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3284 wrote to memory of 3164 3284 firefox.exe 114 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 PID 3164 wrote to memory of 1976 3164 firefox.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dickd.exe"C:\Users\Admin\AppData\Local\Temp\dickd.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1036
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3740
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:5060
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3132
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {166b4553-c7fe-4074-98c5-eafd409a59ac} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" gpu3⤵PID:1976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33488600-01e3-4220-be03-ddad3e25f250} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" socket3⤵
- Checks processor information in registry
PID:1640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2848 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc38c38b-d8ee-43b7-91f8-7d8db1d3a9dd} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab3⤵PID:2040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 2 -isForBrowser -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8411b0f9-61f5-44c5-a744-de5ee03633bd} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab3⤵PID:2156
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4896 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {874cf745-dbd2-4dae-bb72-5736d82f3273} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" utility3⤵
- Checks processor information in registry
PID:5500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5352 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf90ea12-2856-414a-9fe1-43ce5f391109} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab3⤵PID:6024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe57771-9c9c-47b6-9c88-8c28751be037} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab3⤵PID:6120
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0226957-a161-4fb5-a348-de1639423e2b} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" tab3⤵PID:6132
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5476
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\read_it.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5752
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142B
MD51a09a38485cbf1d59c29d8e3213e1ab9
SHA19cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA2560a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5714076dbeb2e5cfaf05d36fb0ce09534
SHA106aba3aa75e0b1bc8fe3a2589bbcb2bc9ac2d679
SHA256f9a589442dbe1b77a04fbf4680b4425dddc57a32b435505f169b9f97d8c8aa80
SHA51219b7c77cdcb3b2722685d248c982c66c6acd253ecf58cf327cddbfe2c7e776c3142ef5bd75100fa4dce6d7964d1422c94011c244f1256c979d5787d03ef699d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5fef31f535729a375ad57ea05a70c00b3
SHA1e23346f1e29551f7025808a8278281efa56a4cd8
SHA256aa5a7908e73750b2b6892835f2f0c6a46e97f22b2c3132ef745a1b9f8a6a18e4
SHA5122c90a49c839a9020a7ca1d54ecc35dae21d40d8c09db516a0877ec11ccd2d25e92f6ce339de82e59365b06a2e67a68d0a228b677bdc211719ca8676494550028
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD59b372a8c21b9f3670e690510f8fec373
SHA1de52f45106671b2afe1817e8fe649835b84a41a6
SHA2569d6251493d0ad36bd29d9455a78c50d6c484b3573e0863644f7d42894744cf87
SHA5123e563ad0f53986ba64f40b4e0c61762931f5b0de13077c147f535309bd504aa4d4c1d6d94efb259e5bd2bfdfcc69a8a47e5fbeac561e812b838a59592809e313
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\5d1fe3f9-9ce0-4fed-a7e9-172f73c252e5
Filesize659B
MD5556dfa7de1adbe27bf02a3c6b5f3d939
SHA18c14fc60ed5cb985b3edc66a32390f14e8d7036b
SHA256c9dc837df6851062a48c92ad6eeba62a98d2e9b6f49f13cab23ff5862958730e
SHA512dc1fc9af5a3ee1175e15b04107c29cdeae94bd1a7ab8df38fac4973059b32a3875ba7627564df363a5947f7b5a8fde98a392eb29caaf349ceebcfce767edd5a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\73d60195-ca64-47f0-acaf-2e46b4aad14a
Filesize982B
MD53af8b8e2680583b3a4e6c0236b8f2e89
SHA10ffb74d8071f8d4144346c040b64057db30558ee
SHA256b78812094f812214151bd4112b9ffb47153816b201b681972713644bd5ef91aa
SHA512645160188f6a59441bedd0c4e8722c8dfe2d124e4a177929ff4b2b92ca1698cba8d1d6e1b5c3403d03ce6abccfa4308ec67ebd93c666368149b478f2c82e31bb
-
Filesize
11KB
MD5927bdf0d944bf437199b732e4980b331
SHA1dfec0c4c350c510550fd7f2534cd21b895688e8e
SHA256b1a40c4283fe793f9bf51037fb38c7fdb5988907db61da8838580de5d334dee4
SHA512977a66a441818cb40bba3a1d92df461a7fc0a7ec5487077055505725d5823d83138a06a277333d47459ec2d0ee8d1799dc133490c0b37658b1cce1c8f3890248
-
Filesize
10KB
MD5263dcd534635bb0a497990e3a225e918
SHA19d2e697c35c0154ff171ad05b4612c24c25890ec
SHA2566c915e3faa068cf50b54785145b7e2feab93649e3e3ddf755899f3b32d53bc13
SHA512d1662b1e0aae69f5797ab14d478f7b389c91c902a9ae555322f06d295e6fcfb46d03d46fcaee591ea77b56776741ae043f7eeb048daa45eaa8b832b81b8c419b
-
Filesize
295KB
MD5765079967592ca7293da5e2b792d3442
SHA10ca816f83480e9ab4bac02c7af501c7058ddad88
SHA256d65bb45d038c257ccd7cf42aa6179e0b2095e14209101ee2dcaee4f69586a54a
SHA512e2651e113244e73eb84e8606d64803ff464cad9ac921d777f8cebc00d626e170d37f28a1febf55882c6859d893aed99de9e01629fe965b2276cfef07e9f4ade6
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740