hydracrypt | 51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

Resubmissions

22-11-2024 22:54

241122-2vh7gaxmfl 10

22-11-2024 03:27

241122-dzqkcatmht 10

22-11-2024 03:16

241122-dsgc4atlgs 10

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Hydracrypt family
hydracrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (471) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_be05db26	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_be05db26	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\zewewase.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U8F4PBMO\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YPLB435F\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\R627XHFP\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OM66BHWE\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened (read-only)	\??\T:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\S:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\R:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\N:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\M:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\K:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\B:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\L:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\J:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Z:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Y:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\I:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\H:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\E:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\G:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\X:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\W:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\V:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\U:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Q:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\P:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\O:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\A:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	pid	process	target process
PID 1224 set thread context of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1784 1868 WerFault.exe afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	pid_target	process	target process
1784	1868	WerFault.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.execmd.execmd.exevssadmin.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.execmd.exevssadmin.execmd.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exevssadmin.execmd.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.exeWMIC.execmd.execmd.exevssadmin.exenet.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exenet1.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1708	vssadmin.exe
1228	vssadmin.exe
3040	vssadmin.exe
2784	vssadmin.exe
2952	vssadmin.exe
1652	vssadmin.exe
2588	vssadmin.exe
2212	vssadmin.exe
2216	vssadmin.exe
444	vssadmin.exe
2484	vssadmin.exe
2572	vssadmin.exe
2888	vssadmin.exe
600	vssadmin.exe
2140	vssadmin.exe
1996	vssadmin.exe
2344	vssadmin.exe
1012	vssadmin.exe
2204	vssadmin.exe
1312	vssadmin.exe
1540	vssadmin.exe
3036	vssadmin.exe
2548	vssadmin.exe
608	vssadmin.exe
2124	vssadmin.exe
968	vssadmin.exe
2708	vssadmin.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid process

1224 afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1224 wrote to memory of 1868	1224	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1868 wrote to memory of 2088	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	conhost.exe
PID 1868 wrote to memory of 2088	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	conhost.exe
PID 1868 wrote to memory of 2088	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	conhost.exe
PID 1868 wrote to memory of 2088	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	conhost.exe
PID 1868 wrote to memory of 2272	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2272	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2272	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2272	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2088 wrote to memory of 2956	2088	cmd.exe	net.exe
PID 2088 wrote to memory of 2956	2088	cmd.exe	net.exe
PID 2088 wrote to memory of 2956	2088	cmd.exe	net.exe
PID 2088 wrote to memory of 2956	2088	cmd.exe	net.exe
PID 1868 wrote to memory of 2808	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2808	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2808	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2808	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2864	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2864	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2864	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2864	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2272 wrote to memory of 2708	2272	cmd.exe	vssadmin.exe
PID 2272 wrote to memory of 2708	2272	cmd.exe	vssadmin.exe
PID 2272 wrote to memory of 2708	2272	cmd.exe	vssadmin.exe
PID 2272 wrote to memory of 2708	2272	cmd.exe	vssadmin.exe
PID 1868 wrote to memory of 2692	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2692	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2692	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2692	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2956 wrote to memory of 2952	2956	net.exe	vssadmin.exe
PID 2956 wrote to memory of 2952	2956	net.exe	vssadmin.exe
PID 2956 wrote to memory of 2952	2956	net.exe	vssadmin.exe
PID 2956 wrote to memory of 2952	2956	net.exe	vssadmin.exe
PID 1868 wrote to memory of 2012	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2012	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2012	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2012	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2808 wrote to memory of 2648	2808	cmd.exe	WMIC.exe
PID 2808 wrote to memory of 2648	2808	cmd.exe	WMIC.exe
PID 2808 wrote to memory of 2648	2808	cmd.exe	WMIC.exe
PID 2808 wrote to memory of 2648	2808	cmd.exe	WMIC.exe
PID 2864 wrote to memory of 2588	2864	cmd.exe	vssadmin.exe
PID 2864 wrote to memory of 2588	2864	cmd.exe	vssadmin.exe
PID 2864 wrote to memory of 2588	2864	cmd.exe	vssadmin.exe
PID 2864 wrote to memory of 2588	2864	cmd.exe	vssadmin.exe
PID 1868 wrote to memory of 2832	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2832	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2832	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2832	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1868 wrote to memory of 2872	1868	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
"C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Z: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Y: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=X: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=W: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=V: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=U: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=T: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=S: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=R: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Q: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=P: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=O: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=N: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=M: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=L: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=K: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=J: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=I: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=H: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=G: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=F: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=E: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=D: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=C: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=B: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=A: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 8448
    3⤵
    - Program crash
    PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-154026337613796902131645321475-593621597759576898-9804890261964923151-748453947"
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_be05db26

Filesize
126KB

MD5
af0e5ab8b365456e5d4f28aeb2bebc7d

SHA1
4c5026ba0333645022e00b0d9796d8eaf31c7b83

SHA256
f36b0f051757135ac8213be3fa0897a8dec367fbc3d654395ac14189e7721ea1

SHA512
e675f353c519ba59e89b3ea3cf71903fb41821f72aeb3c412adfc309891f1713d03ca17297a096e5c50d5ff715bf47ab594833ff6f0eca54b7c6ef3fa3523612

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_be05db26

Filesize
28KB

MD5
7c15b6e8d3fabd5c4915bcb39fc8f2c2

SHA1
f2aa943d9392d10a1be43227d151fa8ad7444e31

SHA256
fa4900272d048c5d01d45fc206ab95d8beb1e35b2267ba56d5cddbbd1318c041

SHA512
a7b0e016cdf02e8d693be274ed187f00ba6de23c3d3758eebf4575875d5700b979c2411091ae36bf6ff27a8210117344adac82b46d37832ec42aa037e7949329

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_be05db26

Filesize
1KB

MD5
ef018b1cc4d7cc0c6a2e2dabf77315fc

SHA1
74e7524c97de71b918a7f4251ceb0ec6926cb0b6

SHA256
b01958a664a3c0b11c4848a3c67cdd75d19a6682d6c6b0ab9fcb09a7a546faa2

SHA512
c8cc0d1b90e337fbd7c907f041363e46af79256a1f5cd139dbe6d5f556d0ae8d11a0c89a6a1f1d62c1a2e58a3305f97ca912f384da084c2a6f8b05e234ccd8eb

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{05BA2C8E-477D-4C5B-B7F3-015066B56DE0}.2.ver0x0000000000000002.db.hydracrypttmp_ID_be05db26

Filesize
1KB

MD5
2f1fece79ac1b267a30de8eb36f98c2e

SHA1
6d1822296715f16d8398e24616ec3d78c8c90f8a

SHA256
9b606ac981412827f6f65a84523c89de49f61b538af19916c4ac3ba44bc59fd7

SHA512
c836fda5ab28e3fad9caee334d0bd93611a07034f2a43adc33f939bcc409ee5d757ac1be18980d6ea62ba5e95c83490587eaac0cb989cbaa5ad9fd6f84b8627f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\R627XHFP\desktop.ini.hydracrypttmp_ID_be05db26

Filesize
67B

MD5
320737250201ffe263e6371f42174fab

SHA1
a34c611b01469b8e94c44469f8a69d3f533baeb2

SHA256
e5f84138757d59fb63878669608be1ba4cee3b05393f690a5aa993202a3c386c

SHA512
9f76f7cae2a046e0925a124c653c2f54b448b16b0da5d310d9811fc1664ab14d251d22005b257949fa74be6365ff16bd1690deabd159b6f847039b3f43ce6993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YPLB435F\desktop.ini.hydracrypt_ID_be05db26

Filesize
331B

MD5
b31d1e05ae77fd25bc63c67fea68f421

SHA1
9ec27beb7d830219dc9c0deb8e464fa4a6820ae3

SHA256
358359415a535edb5c7e66bde833f5c67a1c944e3775f859ca3c6780655e7e3e

SHA512
babeda7e2ff49d57aba9925f1b22ecfe6db37f7aad9a3afa45f8b2cb345f384d25916d9c892d4160d49fcd849257d1e1b5d27af197e9713e0ace60e8fa68e3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051516914.html.hydracrypttmp_ID_be05db26

Filesize
1.1MB

MD5
d121a9bd42250639342c9ee3cfdcf695

SHA1
836662494c97d73f03f3962792ebf0c91cc17598

SHA256
313a011e227cb17793dc6dfc2f6e68235eba06bd559a8efe179b2ea36f3677cc

SHA512
a94d5cec0d16c8f69287e07b8143eb7e9513683d244ea1b0fc8ba76473d04544f28b14a552c5f7e0eaa105f22aea3208bed553ba5be19859ba087ac78fcb4fed

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
6f334298b2b1054d7c5b10631bc64da0

SHA1
70921e00e3cf4d3cf7fed5577108cfc76a75e65b

SHA256
28bf6b13b6181bebf360cce7a553d6c34bdfc8085a81b80c2e118293aa5f7874

SHA512
4040fa2f57c9d09438951f89976673d32285b1cfd524baa86127ce0cb6ce73ec0cea83769b091c40651d8f455e63153b106919e9e40fcf5f8e5400bfef148d2d

Download Submit
C:\Users\Admin\Documents\DenyShow.xlsx.hydracrypttmp_ID_be05db26

Filesize
12KB

MD5
409b4430fe9afbc69ef7701431466810

SHA1
69af7011c22b327d3a6359a2f8c944ad07e1825d

SHA256
166dab35b54365457cf555dedc0b67508134e4d1b36fc72ef512f0e58a6ddfdf

SHA512
b37c61e342f3b49c33f42c14c4b5b804f9d7dc98bb0906265b4292fc5fe44d7304fa217ae0ec4fa434bf8a3b20084a2b576f7f5e7fe2e6c0205eddff5eac19af

Download Submit
C:\Users\Public\Documents\README_DECRYPT_HYDRA_ID_be05db26.txt

Filesize
915B

MD5
179b533c407974ba94a9bdf288eab920

SHA1
1a16945948d069886d7944f0e371dd733573de2b

SHA256
b962134a0ca78b26383e930b59f179ea9cb5e6a3e17cc1ef491fdb7a7f51de53

SHA512
fac8f9b5083fcd16ca08c846b06f57523453243df19d1259c8ba7ac2313b9a80bc8ed1fa132407aa0f3e88fe7996c9db0d275127694443d1b4a0f82e6dfe884a

Download Submit
memory/1224-0-0x00000000002F0000-0x00000000002F5000-memory.dmp

Filesize
20KB

Download
memory/1868-7-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-11-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-25-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-15-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-17-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-436-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-435-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1868-19-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1868-26-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-1931-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1868-13-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-23-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-9-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-5-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-3-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1868-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1868-2947-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1868-2949-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download