Overview
overview
10Static
static
3BSOD/BSOD/...OD.exe
windows7-x64
1BSOD/BSOD/...OD.exe
windows10-2004-x64
BSOD/BSOD/...OD.exe
windows10-ltsc 2021-x64
1BSOD/BSOD/...OD.exe
windows11-21h2-x64
1RANSOMWARE....0.exe
windows7-x64
10RANSOMWARE....0.exe
windows10-2004-x64
10RANSOMWARE....0.exe
windows10-ltsc 2021-x64
10RANSOMWARE....0.exe
windows11-21h2-x64
10Analysis
-
max time kernel
1800s -
max time network
1162s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/11/2024, 12:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
1800 seconds
Behavioral task
behavioral2
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral3
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral4
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win11-20241007-en
windows11-21h2-x64
0 signatures
1800 seconds
Behavioral task
behavioral5
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
1800 seconds
Behavioral task
behavioral6
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
1800 seconds
Behavioral task
behavioral7
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
15 signatures
1800 seconds
Behavioral task
behavioral8
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win11-20241007-en
windows11-21h2-x64
15 signatures
1800 seconds
General
-
Target
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
-
Size
206KB
-
MD5
d82aef6e33a9bb4bbbec1e38547b1a47
-
SHA1
bb74e90eab11ecc0a2e3702882489a2523949315
-
SHA256
9cff1ba17b83e537751fe1cd414690c3aa9627f06899afd906efaa114575d42d
-
SHA512
88e61e2a6ce3fe80f4ce77493254fcd56476ffc1e6a36a7f4f063757c6fd2cd1332f2a1d71222cbae244b294dcc5b56b8a83e53e15138a4ef1c3fbd56690f804
-
SSDEEP
3072:qRkbWhQAqY5+I00000000000000cGh4u3J+QGAqYVZmXMZhGq4ziqY:qSbsqgP4QbqS1ZhGq4Gq
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\BSOD.exe" RANSOMWARE3.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "BSOD.exe" RANSOMWARE3.0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe -
Renames multiple (279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RANSOMWARE3.0.exe -
Disables Task Manager via registry modification
-
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll RANSOMWARE3.0.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.exe RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.exe RANSOMWARE3.0.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RANSOMWARE3.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Program Files\desktop.ini RANSOMWARE3.0.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\cleanmgr.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\ssdpapi.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\wiatrace.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\kbd101c.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\l2gpstore.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\NetworkCollectionAgent.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\SortWindows63.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\termmgr.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\Windows.UI.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\WSHTCPIP.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\chkdsk.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\dialclient.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\DXCore.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\NAPCRYPT.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\netiougc.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\prntvpt.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\shpafact.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\mtxex.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\Register-CimProvider.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\iscsicpl.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\kmddsp.tsp RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\mfc120esn.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\RdpSaProxy.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\Windows.Graphics.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\elshyph.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDINBEN.DLL RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\LAPRXY.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\msexcl40.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\RstrtMgr.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\themeui.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\cero.rs.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\clip.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\dsrole.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\EtwRundown.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\hnetmon.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\ktmutil.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\odbcjt32.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\PhonePlatformAbstraction.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\WinTypes.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\mfsensorgroup.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\appidapi.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\AuditPolicyGPInterop.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\authz.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\D3DSCache.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\FXSCOMEX.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\pdh.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\srmclient.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\polstore.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\spnet.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\ContentDeliveryManager.Utilities.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDSYR2.DLL RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\perfproc.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\srumsvc.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\ir41_32original.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\MFCaptureEngine.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\srclient.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\netprofm.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\ActionCenter.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\dxmasf.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\iasacct.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDBE.DLL RANSOMWARE3.0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\CheckpointExit.TTS.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\CopyRestart.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\DenyMerge.docm.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\RequestReceive.zip RANSOMWARE3.0.exe File opened for modification C:\Program Files\WaitUnblock.M2V RANSOMWARE3.0.exe File created C:\Program Files\ConvertToCompress.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\desktop.ini RANSOMWARE3.0.exe File created C:\Program Files\ExpandCompare.pub.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\WaitUnblock.M2V.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\WaitApprove.mp2 RANSOMWARE3.0.exe File opened for modification C:\Program Files\WatchExport.ogg RANSOMWARE3.0.exe File opened for modification C:\Program Files\CheckpointExit.TTS RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConnectCompare.vstm RANSOMWARE3.0.exe File opened for modification C:\Program Files\CopyUnlock.raw RANSOMWARE3.0.exe File created C:\Program Files\EnableDismount.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\JoinRestore.css.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\WaitApprove.mp2.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\ConvertToPop.hta.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\GetSet.cr2 RANSOMWARE3.0.exe File opened for modification C:\Program Files\JoinRestore.css RANSOMWARE3.0.exe File opened for modification C:\Program Files\TestRestore.mhtml RANSOMWARE3.0.exe File created C:\Program Files\UnprotectRename.scf.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\WatchExport.ogg.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\ExpandDebug.bmp RANSOMWARE3.0.exe File opened for modification C:\Program Files\LimitPing.xlsx RANSOMWARE3.0.exe File created C:\Program Files\ReceiveSubmit.ttf.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\RestartRedo.mp2v RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConvertToPop.hta RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConvertToRename.tiff RANSOMWARE3.0.exe File opened for modification C:\Program Files\CopyRestart.ini RANSOMWARE3.0.exe File created C:\Program Files\RestartRedo.mp2v.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\SendSuspend.jpeg RANSOMWARE3.0.exe File created C:\Program Files (x86)\desktop.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\SendSuspend.jpeg.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\UnprotectRename.scf RANSOMWARE3.0.exe File created C:\Program Files\UpdateJoin.potm.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files (x86)\desktop.ini RANSOMWARE3.0.exe File created C:\Program Files\CopyUnlock.raw.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\EditJoin.TTS.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\LimitPing.xlsx.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\RepairRedo.ppsx.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\RequestReceive.zip.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\CheckpointPublish.vst.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConvertToCompress.dll RANSOMWARE3.0.exe File created C:\Program Files\ConvertToRename.tiff.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\ExpandRemove.mov RANSOMWARE3.0.exe File opened for modification C:\Program Files\RepairRedo.ppsx RANSOMWARE3.0.exe File opened for modification C:\Program Files\EnableDismount.ini RANSOMWARE3.0.exe File created C:\Program Files\MeasureOptimize.DVR.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\RegisterAdd.wps.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\RegisterAdd.wps RANSOMWARE3.0.exe File created C:\Program Files\UnblockMove.DVR.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\EditJoin.TTS RANSOMWARE3.0.exe File created C:\Program Files\ExpandDebug.bmp.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\ReceiveSubmit.ttf RANSOMWARE3.0.exe File opened for modification C:\Program Files\UpdateJoin.potm RANSOMWARE3.0.exe File opened for modification C:\Program Files\BlockConvertFrom.7z RANSOMWARE3.0.exe File opened for modification C:\Program Files\ExpandSet.m1v RANSOMWARE3.0.exe File created C:\Program Files\GetSet.cr2.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\GroupRename.html.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\RepairBackup.wax RANSOMWARE3.0.exe File opened for modification C:\Program Files\UnlockRepair.xsl RANSOMWARE3.0.exe File opened for modification C:\Program Files\UnblockMove.DVR RANSOMWARE3.0.exe File created C:\Program Files\UnlockRepair.xsl.CLUTTER RANSOMWARE3.0.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File opened for modification C:\Windows\winhlp32.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\notepad.exe RANSOMWARE3.0.exe File created C:\Windows\Professional.xml.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\splwow64.exe RANSOMWARE3.0.exe File created C:\Windows\sysmon.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\win.ini RANSOMWARE3.0.exe File created C:\Windows\lsasetup.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\PFRO.log RANSOMWARE3.0.exe File opened for modification C:\Windows\system.ini RANSOMWARE3.0.exe File opened for modification C:\Windows\sysmon.exe RANSOMWARE3.0.exe File created C:\Windows\SysmonDrv.sys.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\WindowsShell.Manifest RANSOMWARE3.0.exe File created C:\Windows\bootstat.dat.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\DtcInstall.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\lsasetup.log RANSOMWARE3.0.exe File created C:\Windows\notepad.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\regedit.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\WindowsUpdate.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\WindowsUpdate.log RANSOMWARE3.0.exe File created C:\Windows\winhlp32.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\WMSysPr9.prx RANSOMWARE3.0.exe File created C:\Windows\hh.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\mib.bin.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\setupact.log RANSOMWARE3.0.exe File opened for modification C:\Windows\SysmonDrv.sys RANSOMWARE3.0.exe File opened for modification C:\Windows\write.exe RANSOMWARE3.0.exe File created C:\Windows\bfsvc.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\HelpPane.exe RANSOMWARE3.0.exe File created C:\Windows\PFRO.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\splwow64.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\system.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\WMSysPr9.prx.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\DtcInstall.log RANSOMWARE3.0.exe File opened for modification C:\Windows\explorer.exe RANSOMWARE3.0.exe File created C:\Windows\HelpPane.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\hh.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\setuperr.log RANSOMWARE3.0.exe File opened for modification C:\Windows\BSOD.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\bootstat.dat RANSOMWARE3.0.exe File created C:\Windows\explorer.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\Professional.xml RANSOMWARE3.0.exe File created C:\Windows\setupact.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\WindowsShell.Manifest.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\win.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\write.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\bfsvc.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\mib.bin RANSOMWARE3.0.exe File created C:\Windows\setuperr.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\twain_32.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\twain_32.dll RANSOMWARE3.0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RANSOMWARE3.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3024 RANSOMWARE3.0.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" RANSOMWARE3.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RANSOMWARE3.0\RANSOMWARE3.0\obj\Debug\RANSOMWARE3.0.exe"C:\Users\Admin\AppData\Local\Temp\RANSOMWARE3.0\RANSOMWARE3.0\obj\Debug\RANSOMWARE3.0.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Manipulates Digital Signatures
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3024
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD54ec85cec090259e2ad98bc922a70cc5c
SHA17fbc4d3a11395f373d6bb40ad7f8bdf9088853e4
SHA256dc0e9cae1e53b8f74c9bda8fc5c76c9f8a925e29275bbca0b4e35204af6c3fa3
SHA512df72554135d7dd06e60b8bb4b98617b16693127b91889a188cedc80a3e85ac3fb578ed9261bd54de465387f0cc755916dc5eb15b24e0350c91f188bc4b703cfb