hydracrypt | 51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Hydracrypt family
hydracrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (474) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_8c36b709	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_8c36b709	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\koxaxevo.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BAFOJIJD\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XMOOPFZ1\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5WY8FHO4\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened (read-only)	\??\L:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\K:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\J:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\V:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\P:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\N:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\M:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\G:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\A:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Z:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\U:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\W:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\T:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\R:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Q:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\I:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\H:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Y:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\X:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\B:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\E:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\S:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\O:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	pid	process	target process
PID 1600 set thread context of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1692 2628 WerFault.exe afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	pid_target	process	target process
1692	2628	WerFault.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.exevssadmin.execmd.execmd.execmd.execmd.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exevssadmin.execmd.execmd.execmd.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.execmd.execmd.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.execmd.exevssadmin.exevssadmin.exenet1.execmd.execmd.exevssadmin.exevssadmin.exenet.execmd.exeWMIC.exevssadmin.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
564	vssadmin.exe
2780	vssadmin.exe
2088	vssadmin.exe
1456	vssadmin.exe
2020	vssadmin.exe
400	vssadmin.exe
2000	vssadmin.exe
1940	vssadmin.exe
1792	vssadmin.exe
1164	vssadmin.exe
1824	vssadmin.exe
1036	vssadmin.exe
2900	vssadmin.exe
2248	vssadmin.exe
2208	vssadmin.exe
3012	vssadmin.exe
2212	vssadmin.exe
1796	vssadmin.exe
2752	vssadmin.exe
2576	vssadmin.exe
2604	vssadmin.exe
3044	vssadmin.exe
2244	vssadmin.exe
2708	vssadmin.exe
1744	vssadmin.exe
2340	vssadmin.exe
2012	vssadmin.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid process

1600 afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1600 wrote to memory of 2628	1600	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2628 wrote to memory of 2224	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2224	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2224	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2224	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2300	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2300	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2300	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2300	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2224 wrote to memory of 2544	2224	cmd.exe	net.exe
PID 2224 wrote to memory of 2544	2224	cmd.exe	net.exe
PID 2224 wrote to memory of 2544	2224	cmd.exe	net.exe
PID 2224 wrote to memory of 2544	2224	cmd.exe	net.exe
PID 2544 wrote to memory of 2744	2544	net.exe	net1.exe
PID 2544 wrote to memory of 2744	2544	net.exe	net1.exe
PID 2544 wrote to memory of 2744	2544	net.exe	net1.exe
PID 2544 wrote to memory of 2744	2544	net.exe	net1.exe
PID 2628 wrote to memory of 2696	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2696	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2696	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2696	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2300 wrote to memory of 2576	2300	cmd.exe	vssadmin.exe
PID 2300 wrote to memory of 2576	2300	cmd.exe	vssadmin.exe
PID 2300 wrote to memory of 2576	2300	cmd.exe	vssadmin.exe
PID 2300 wrote to memory of 2576	2300	cmd.exe	vssadmin.exe
PID 2628 wrote to memory of 2524	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2524	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2524	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2524	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2584	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2584	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2584	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2584	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2696 wrote to memory of 2564	2696	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2564	2696	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2564	2696	cmd.exe	WMIC.exe
PID 2696 wrote to memory of 2564	2696	cmd.exe	WMIC.exe
PID 2628 wrote to memory of 2980	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2980	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2980	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2980	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2988	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2988	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2988	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2628 wrote to memory of 2988	2628	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2524 wrote to memory of 2000	2524	cmd.exe	vssadmin.exe
PID 2524 wrote to memory of 2000	2524	cmd.exe	vssadmin.exe
PID 2524 wrote to memory of 2000	2524	cmd.exe	vssadmin.exe
PID 2524 wrote to memory of 2000	2524	cmd.exe	vssadmin.exe
PID 2584 wrote to memory of 3012	2584	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
"C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Z: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Y: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=X: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=W: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=V: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=U: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=T: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:332
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=S: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=R: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1872
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Q: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=P: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=O: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=N: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=M: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=L: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=K: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=J: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=I: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1492
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=H: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=G: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=F: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=E: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=D: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=C: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=B: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=A: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 8444
    3⤵
    - Program crash
    PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_8c36b709

Filesize
126KB

MD5
0391023dab7004dbcb96cab7cc1602b2

SHA1
6c83e11583b195e6661aacb2ed9de37fe584364c

SHA256
f6cb25681ca6777c3e1029316f983ec56ef37d4adf9194d648635a4814ea3485

SHA512
75061dfe61f1fd6d458773fe420edbd072944b889add451269b6830a8810bfa37a26d795dd8739b80f6a245cad4aa4e47f3bff9c34d29872af053f2e53c74a9d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_8c36b709

Filesize
28KB

MD5
735dc473c4e67d5d67d3bcd88d36fb37

SHA1
ae90c60d4fb828f027aa1ebc73aab4b788982fa2

SHA256
15eed907efb3b358af82079434e204225ceb92465dc90a23d6bd3bcbc389e902

SHA512
55fad682bcae34920cfaf8cc1e4cce919b9b9e55a4b0f8dc50f82145640248cf0195dda19cd721f165299f4540f2fa809549949851df651efb15169b709ae7d8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_8c36b709

Filesize
1KB

MD5
14aa73eda313dcc89b2d9830b883d057

SHA1
fe606ba5c087bc036428d734a813caee64bce136

SHA256
e8aa69bc2d1ea42eeb583986f89fac2ec72f08409bee707540f0aabf72890dee

SHA512
f027a7fd0792fd0367382d5a5112175f24f4f418b9eefe96780389a08b51fcc03035aad52e126c3feabe8833592ffc72b69a089fcb38078b458174802be5077d

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{A9E4022C-9477-4B6D-B223-8709BE9C8AB0}.2.ver0x0000000000000002.db.hydracrypttmp_ID_8c36b709

Filesize
1KB

MD5
2cebacc78730325527087be8bbe46ade

SHA1
730a87f4c9ada2db7791640ceabde958be61e8da

SHA256
e57712881f9b7a5c903030ed9b91fdf8efbb8f4852eb5b16b4197b39bda1d579

SHA512
e472606abfc73a7a30c2f8b0798c3a0a1f4ce5f462523c88f3bfe6a661391b01c397131cc266dbcbcbb361931fa5d0eff8071b87411d247560b11b0cc6654160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\60QKHYE2\desktop.ini.hydracrypttmp_ID_8c36b709

Filesize
67B

MD5
c8c380ea573b670576c926ecea6f8b44

SHA1
5ffa0324ad7eda99e57b9787fa9f47383da45ff0

SHA256
e91e242a2d730155afd13c450c068cb62c1bdaf5e8bc454c9bf40b159aae210e

SHA512
a9b69b251e88ea4a48063961d464dd075c4327837a65637bfda77b85e94fb14c125a75ccfb1fb0af93da005a454c4b01bcfccec919c1f78aa68aee00f549d6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XMOOPFZ1\desktop.ini.hydracrypt_ID_8c36b709

Filesize
331B

MD5
7f4026ad416f627ac55bc7cd64809771

SHA1
09bf53bb14f20bab68b0417cb33931e6af9d17e2

SHA256
68bcf191467610d592edb8cdbbb5cbf92b888d627e48bca742085b7f61bb5aa6

SHA512
249ee652d699c8a428f8fde78ddac90c57b5556222e38950f05d4ed2283e512e8f0d12a327a752835332b32c8bf008efeae4e2916d2c576f04f8b3f6120906a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051511232.html.hydracrypttmp_ID_8c36b709

Filesize
1.1MB

MD5
892c684f38853615b589043f93a3aff1

SHA1
da90e389eed0a4609f06c5c07d6605351aebd333

SHA256
41c0333e9bcccd69e0bf144c22b21ce62614cbd46f2d88ca7e1d42224ee99957

SHA512
6ccaa9ff3152292b86b08f7f25166aa065aa576eac620ee30e0b857e85aadd3ff9329a07094f72418969bc7702942506e22c698bc23dc028da8d7bd1326b0c18

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
97af5987ff3d92867c5fd43bcd65b0c0

SHA1
ee0a355af5403d96e2a7a8fc091f4a233f6da787

SHA256
637b759f859bcb79be726f1cfca41dfb6cf252401d125e403afc2a46ecfadc9d

SHA512
dc489275e257d1367c78beb22cc969c9af7bb3f9b77d2c1264002685d6c93f7bb5c11ee746798560bb7f081d4869d2aec2e5cda8ae21147b4b57c040764ca93c

Download Submit
C:\Users\Admin\Desktop\ShowUnblock.xlsx.hydracrypttmp_ID_8c36b709

Filesize
14KB

MD5
c74ead6d856caeb58b916c2e3b097418

SHA1
fc869bb3acecb50bedcfc6561960a085885721eb

SHA256
508ef39a6eda1565a38a235fe29306072a45fc5506a0d1d94ad8e659ff1ca840

SHA512
851df558e1eae80066592435189643276006385eac01bd06f1c6872d2f55b29a4e72cc80061d04dcc2b0d28811131e1c1a2918b4f04fa63cd6bbea2bfe3b5874

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_8c36b709.txt

Filesize
870B

MD5
36006a50bf0bee078e8b6096d083599c

SHA1
2cfef28cb6000f2b43a9173b2368c63361ead701

SHA256
41c4aeee47902be00f6535aa1a8753f8af529ee2d02245dc1cd48ad758c6a22c

SHA512
b3390474540d4f339d262550a88f7b47bdc665827f5b486dddc122661e7a403469beed775680ac265268414660a78a9d3ee681205e1334a188cbb0516b24094f

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_8c36b709.txt

Filesize
915B

MD5
4a2545506bec96f69e4b4de1845f33d5

SHA1
ca4997ff3956ca9903b19c109d02a736bcf49a0a

SHA256
f8137ff22bcaf69a9aecc39945da8ecb8a3f4bf2acc923ed13ab1491eda630ba

SHA512
259098df65325c222c5abd3006f1dd6b1c9e58ccfb5e75ac4e616a5d811aed88345c827cd859165c075880647534acbe0be8b1988077c831baaeee786a24a06d

Download Submit
memory/1600-0-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/1780-24-0x0000000076C10000-0x0000000076D0A000-memory.dmp

Filesize
1000KB

Download
memory/1780-23-0x0000000076AF0000-0x0000000076C0F000-memory.dmp

Filesize
1.1MB

Download
memory/2628-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-2162-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-8-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-755-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-758-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-18-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-16-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-22-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-6-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-26-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-10-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-4-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-2-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2628-12-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-14-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2628-2973-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-2974-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download