hydracrypt | 51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Hydracrypt family
hydracrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (444) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_77e208ed	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_77e208ed	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\tecekydo.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\65NE61TJ\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V50G20NG\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BJINZE1S\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QHWRVUKQ\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened (read-only)	\??\P:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\N:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\I:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\G:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\A:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Z:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\T:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Q:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\M:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\K:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\J:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\H:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\B:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\U:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\V:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\E:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Y:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\W:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\S:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\R:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\O:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\L:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\X:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	pid	process	target process
PID 2996 set thread context of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2672 2848 WerFault.exe afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	pid_target	process	target process
2672	2848	WerFault.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.execmd.execmd.execmd.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exeWMIC.execmd.execmd.exenet.execmd.exevssadmin.exevssadmin.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exenet1.execmd.execmd.exevssadmin.execmd.execmd.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1040	vssadmin.exe
3064	vssadmin.exe
1496	vssadmin.exe
1080	vssadmin.exe
1080	vssadmin.exe
1556	vssadmin.exe
1724	vssadmin.exe
1736	vssadmin.exe
2328	vssadmin.exe
1776	vssadmin.exe
2244	vssadmin.exe
2816	vssadmin.exe
2672	vssadmin.exe
2012	vssadmin.exe
1144	vssadmin.exe
1956	vssadmin.exe
1924	vssadmin.exe
2080	vssadmin.exe
1340	vssadmin.exe
2340	vssadmin.exe
1084	vssadmin.exe
1600	vssadmin.exe
1932	vssadmin.exe
2184	vssadmin.exe
2152	vssadmin.exe
1576	vssadmin.exe
1952	vssadmin.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid process

2996 afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	560	WMIC.exe
Token: SeSecurityPrivilege	560	WMIC.exe
Token: SeTakeOwnershipPrivilege	560	WMIC.exe
Token: SeLoadDriverPrivilege	560	WMIC.exe
Token: SeSystemProfilePrivilege	560	WMIC.exe
Token: SeSystemtimePrivilege	560	WMIC.exe
Token: SeProfSingleProcessPrivilege	560	WMIC.exe
Token: SeIncBasePriorityPrivilege	560	WMIC.exe
Token: SeCreatePagefilePrivilege	560	WMIC.exe
Token: SeBackupPrivilege	560	WMIC.exe
Token: SeRestorePrivilege	560	WMIC.exe
Token: SeShutdownPrivilege	560	WMIC.exe
Token: SeDebugPrivilege	560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	560	WMIC.exe
Token: SeRemoteShutdownPrivilege	560	WMIC.exe
Token: SeUndockPrivilege	560	WMIC.exe
Token: SeManageVolumePrivilege	560	WMIC.exe
Token: 33	560	WMIC.exe
Token: 34	560	WMIC.exe
Token: 35	560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	560	WMIC.exe
Token: SeSecurityPrivilege	560	WMIC.exe
Token: SeTakeOwnershipPrivilege	560	WMIC.exe
Token: SeLoadDriverPrivilege	560	WMIC.exe
Token: SeSystemProfilePrivilege	560	WMIC.exe
Token: SeSystemtimePrivilege	560	WMIC.exe
Token: SeProfSingleProcessPrivilege	560	WMIC.exe
Token: SeIncBasePriorityPrivilege	560	WMIC.exe
Token: SeCreatePagefilePrivilege	560	WMIC.exe
Token: SeBackupPrivilege	560	WMIC.exe
Token: SeRestorePrivilege	560	WMIC.exe
Token: SeShutdownPrivilege	560	WMIC.exe
Token: SeDebugPrivilege	560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	560	WMIC.exe
Token: SeRemoteShutdownPrivilege	560	WMIC.exe
Token: SeUndockPrivilege	560	WMIC.exe
Token: SeManageVolumePrivilege	560	WMIC.exe
Token: 33	560	WMIC.exe
Token: 34	560	WMIC.exe
Token: 35	560	WMIC.exe
Token: SeBackupPrivilege	2888	vssvc.exe
Token: SeRestorePrivilege	2888	vssvc.exe
Token: SeAuditPrivilege	2888	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.execmd.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2996 wrote to memory of 2848	2996	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2848 wrote to memory of 2856	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2856	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2856	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2856	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2804	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2804	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2804	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2804	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2708	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2708	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2708	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2708	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2856 wrote to memory of 2768	2856	cmd.exe	net.exe
PID 2856 wrote to memory of 2768	2856	cmd.exe	net.exe
PID 2856 wrote to memory of 2768	2856	cmd.exe	net.exe
PID 2856 wrote to memory of 2768	2856	cmd.exe	net.exe
PID 2848 wrote to memory of 2552	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2552	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2552	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2552	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2804 wrote to memory of 2012	2804	cmd.exe	vssadmin.exe
PID 2804 wrote to memory of 2012	2804	cmd.exe	vssadmin.exe
PID 2804 wrote to memory of 2012	2804	cmd.exe	vssadmin.exe
PID 2804 wrote to memory of 2012	2804	cmd.exe	vssadmin.exe
PID 2848 wrote to memory of 2548	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2548	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2548	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 2548	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2768 wrote to memory of 2176	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2176	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2176	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2176	2768	net.exe	net1.exe
PID 2848 wrote to memory of 776	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 776	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 776	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 776	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2708 wrote to memory of 560	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 560	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 560	2708	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 560	2708	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 1084	2552	cmd.exe	vssadmin.exe
PID 2552 wrote to memory of 1084	2552	cmd.exe	vssadmin.exe
PID 2552 wrote to memory of 1084	2552	cmd.exe	vssadmin.exe
PID 2552 wrote to memory of 1084	2552	cmd.exe	vssadmin.exe
PID 2848 wrote to memory of 1688	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 1688	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 1688	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2848 wrote to memory of 1688	2848	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 776 wrote to memory of 2152	776	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
"C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Z: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Y: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=X: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=W: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:836
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=V: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=U: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=T: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=S: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=R: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Q: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=P: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=O: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=N: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=M: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=L: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=K: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=J: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=I: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=H: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=G: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=F: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=E: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1476
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=D: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=C: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=B: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=A: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 8464
    3⤵
    - Program crash
    PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_77e208ed

Filesize
126KB

MD5
cbf668d28a981f15b44d022884b9c2a6

SHA1
e8027489d2a6265a52e88388d318466459a62858

SHA256
731d891bb374f6a5aca0c00bc0b641738f7b9c85dc0fe430b83899ba8dd83e51

SHA512
b34e3628eb1e29d33c9542d39cddafcbe9ae311f5dfd520b26df932cfafbb31ab66bc9f843eb3ae9b11d1f16aaa68522529930e853cb727eb3697d23e7e8aae4

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_77e208ed

Filesize
28KB

MD5
cda65828574b1c2248f8037c449b9eaf

SHA1
06001ddd4fe019386e390d562f683260f1d63bc6

SHA256
3c14143580caecba8032c88737105203de31a0efde9f9fc5a86e12c69fb21d50

SHA512
5f725dc94d811dda6a782ce6d1e4c9287729db68449c0c143409ce4566023036673579f484c28989cc63c74088dad60112a96b26520d96b96e03ae19edd868bd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_77e208ed

Filesize
1KB

MD5
cbc73f5a5bd25506f63f154e9d17538b

SHA1
f7f4c40bc83384db49e264602e526207c364921d

SHA256
c4374ee6a84b813e4b8f2a937653130dbbbcf00271bf083dc2fe602a17205b48

SHA512
6e904684b0194ed9abbf15648b9c2772db599eb2347835dcc8fcd750cddaf94f5fdb6f5cca100b6c775a02bab7165f7145d16138aeee6d58cdf0b4ec5cd45e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BJINZE1S\desktop.ini.hydracrypttmp_ID_77e208ed

Filesize
67B

MD5
e22756847d5c12fe0a5aecc959f3175a

SHA1
1e7aefde282159ce4e0dd9427ca142ace934acf0

SHA256
e7362a23757f60daa598a2205e641e6d7558912938370769be9588a8fc91cc49

SHA512
6a0c6e13fb9fcb6973ae95a6457ae279159407d08625ade9a73ed0f86797069e9f4937d2638af2b1a524c46d4325cf1a32b222bf9898c9f5632145909907849e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V50G20NG\desktop.ini.hydracrypt_ID_77e208ed

Filesize
331B

MD5
91df9d2810f5c3ad1dc5dd038197193a

SHA1
c55fde57d1775f7064ad5a20c0c681ec55c7158e

SHA256
82674fe795093a781156306dbf5cdad622357f7971d6209b06dd0c44b60ca198

SHA512
35dc0f0e0599c960aa927bfe6726bd8ac4af20c3b9e7dde1bc2cf363954c311597f2fc485a763d8c65e535f543f2736680b914676a24b5ec63bb3cae45a29988

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241010_084107918.html.hydracrypttmp_ID_77e208ed

Filesize
1.1MB

MD5
ededb9ac8306f512e9322987e9e6e9ed

SHA1
adf7325612af9a022dc1f8a0a9194b2118db07d0

SHA256
45893fb5851ae02dfb37a0dfda5c670ba5fdf52faf53a956f3e740e466612344

SHA512
bcc118ff18c44840c3ad3a5def309c98727e600b4f94fe027be3dafd5c91b39fa12a4066d5e1f14cfacafa8759b61226a99957cabccd214c9c672036b44a99ec

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
4710ee5a3cd42ad074b482421686e8dc

SHA1
1d35bbaaa99b790dd4bc569e225a0ea760894f5f

SHA256
c48d58bb2cb8047619ab77e57f622059849b2572276c5c3b0da13514f8febbd2

SHA512
7fc19bb0f00ddaf1d1fa7acc990ad4cd1a3dd732d8ebf8cde3e80cc381e662c5204d6ada027494159f2a5017b5412d5ab864863e6a4a18d1983d125f573fbf5a

Download Submit
C:\Users\Admin\Documents\InstallResume.xlsx.hydracrypttmp_ID_77e208ed

Filesize
9KB

MD5
6fd1d2f6598bb7b488758bab241fd8a1

SHA1
91850c2a34b12e97c30650816cf2fc7eda4138ba

SHA256
64afdeeed954e4986dae635d6828827559a04f51446cb3fbdf72e0493d96ba15

SHA512
74e4b9570ae75a888bc9195ba2f5ea8c0048ca5fad1cf9378360ec2013bd98fdb4f81a1431f218ff702e785245d120d58e864d0224a39fb415f1212ae3ec4a13

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_77e208ed.txt

Filesize
915B

MD5
6b4312e8fb715ba104345038b0fe567f

SHA1
eba1497c1654d80543f04538191082da094ed0eb

SHA256
2fba5e32eef4cbea75cef9396d5a7017c057bc35af921495c217555d4655aab6

SHA512
9b4eab2b9e7b3c4ae787897f637af51440166d71269d2493ff0d306d8679e45adbe7fdd39e298aa26c279d4bc18a5207c9e8f035532437cf9de603d1da53c2b2

Download Submit
memory/2848-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-2833-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-19-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-5-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-25-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-17-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-434-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2848-436-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-7-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-11-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-1936-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2848-23-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-15-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-9-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-3-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2848-13-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2848-2832-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2996-0-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download