Analysis
-
max time kernel
96s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 13:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
-
Size
663KB
-
MD5
7df4d51141b1c657e2c5f78ada3b526a
-
SHA1
d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8
-
SHA256
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca
-
SHA512
fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a
-
SSDEEP
12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei
Malware Config
Extracted
Path
F:\$RECYCLE.BIN\READ_NOTE.html
Ransom Note
<div class="tabs1">
<div class="head"><strong>Your personal ID:</strong></div>
<div class="identi"><span style="width: 1000px; color: #ffffff; font-size: 10px;">AUIHe5eUNIJRAOgm1c4k1MKf+zIuqf7L5lcBbp/yEbLju7+G2UhQz//TKFOBAi7UKt0qLnjpMUGjzde4kEfuTKIm8B7CM3pt4ZjlEJlb/7fuxvxhn8JPOVL50scq/hsmaeg89bJQURp4VsG2FA7gnlt0Mnx1CYwR0deego7dsZm8lzhEYlC8U8/3oiWiuc70N5lwxa/C0rNUW7rwp1z3ekL1bCS299kusF5OCuO/82TyA/CeE9Pg3VOaXTKzvgxKheoqE9tFe21e9jqvd3EboUiVXBhxP+WCVD48xf1DqQh/0o156wnMuGFwqMPeW/qOyKthIsezZRcWdsGyqFsYXw==�</span> <br /> <!-- !!! dont changing this !!! --></div>
</div>
<!-- -->
<div class="tabs"><!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text"><!--text data --> <strong>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</strong><br /> <strong>All your important files have been encrypted!</strong><br /><br /><hr /><span style="text-decoration: underline; background-color: #00ff00;"><em>Your files are safe! Only modified. (RSA+AES)</em></span><br /><br /> <span style="background-color: #00ff00;"><strong>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE</strong></span><br /><span style="background-color: #00ff00;"><strong> WILL PERMANENTLY CORRUPT IT.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT MODIFY ENCRYPTED FILES.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT RENAME ENCRYPTED FILES.</strong></span><br /><br /> No software available on internet can help you. We are the only ones able to<br /> solve your problem.<br /><br /> We gathered highly confidential/personal data. These data are currently stored on<br /> a private server. This server will be immediately destroyed after your payment.<br /> If you decide to not pay, we will release your data to public or re-seller.<br /> So you can expect your data to be publicly available in the near future..<br /><br /> We only seek money and our goal is not to damage your reputation or prevent<br /> your business from running.<br /><br /> You will can send us 2-3 non-important files and we will decrypt it for free<br /> to prove we are able to give your files back.<br /> When you compose a letter, please indicate the <strong>PERSONAL ID</strong> from the beginning of the note, so that we can more specifically approach the formation of conditions for you.<br /> <!--text data --><hr /><strong>Contact us for price and get decryption software.</strong><br /><br /><hr /><strong>email:</strong><br /> <a href="[email protected]">[email protected] </a> <br /> <a href="[email protected]">[email protected] </a> <br /> <strong>OUR TOX:</strong> <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> <br />
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br /> <strong> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</strong><br /></a></p>
<p>*Our site and Tor-chat to always be in touch:</p>
</div>
</div>
</div>
<!--tab--> <strong> <strong><span style="background-color: #00ff00; font-size: 22px;"> <strong> xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion </strong></span><br /><br /> </strong><br /> <!--text data --> </strong></div>
<!--tab-->
Emails
URLs
http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2332 created 3480 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 54 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 1104 bcdedit.exe -
Renames multiple (5253) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
pid Process 3604 wbadmin.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Y: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\G: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\M: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\H: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\I: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\O: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Q: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\N: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\E: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\U: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\P: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\U: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\W: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\X: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\L: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Z: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\L: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Y: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\B: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\G: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\K: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\N: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\E: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\T: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\O: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\W: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\S: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\T: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\X: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\A: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\R: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\J: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Q: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\J: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\S: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\H: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\K: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\P: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\R: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\V: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Z: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\F: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\M: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\B: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\I: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org 13 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\output.bmp" f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-150.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons_retina.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Microsoft Office\PackageManifests\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Cryptomining.DATA f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\ThumbAerial.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetLight.gif.DATA f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Microsoft Office\root\vfs\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-200.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\PSGet.Resource.psd1 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Google\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\PSTN_cluster.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\plugin.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\ieinstal.exe.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features.txt f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-100.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\IDPValueAssets\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\WinMetadata\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\accessibility_keyboard_arrows.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.winmd f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\MSASignIn.winmd f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\segoeui_semibold.woff f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated_contrast-white.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-400.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.schema.mfl f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File created C:\Windows\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\bootstat.dat f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\mib.bin f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\Professional.xml f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\WMSysPr9.prx f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4288 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{ED2F4B1A-5C10-40C3-AA09-86C62808CB67} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1100 WMIC.exe Token: SeSecurityPrivilege 1100 WMIC.exe Token: SeTakeOwnershipPrivilege 1100 WMIC.exe Token: SeLoadDriverPrivilege 1100 WMIC.exe Token: SeSystemProfilePrivilege 1100 WMIC.exe Token: SeSystemtimePrivilege 1100 WMIC.exe Token: SeProfSingleProcessPrivilege 1100 WMIC.exe Token: SeIncBasePriorityPrivilege 1100 WMIC.exe Token: SeCreatePagefilePrivilege 1100 WMIC.exe Token: SeBackupPrivilege 1100 WMIC.exe Token: SeRestorePrivilege 1100 WMIC.exe Token: SeShutdownPrivilege 1100 WMIC.exe Token: SeDebugPrivilege 1100 WMIC.exe Token: SeSystemEnvironmentPrivilege 1100 WMIC.exe Token: SeRemoteShutdownPrivilege 1100 WMIC.exe Token: SeUndockPrivilege 1100 WMIC.exe Token: SeManageVolumePrivilege 1100 WMIC.exe Token: 33 1100 WMIC.exe Token: 34 1100 WMIC.exe Token: 35 1100 WMIC.exe Token: 36 1100 WMIC.exe Token: SeBackupPrivilege 4332 vssvc.exe Token: SeRestorePrivilege 4332 vssvc.exe Token: SeAuditPrivilege 4332 vssvc.exe Token: SeShutdownPrivilege 3520 explorer.exe Token: SeCreatePagefilePrivilege 3520 explorer.exe Token: SeShutdownPrivilege 3520 explorer.exe Token: SeCreatePagefilePrivilege 3520 explorer.exe Token: SeShutdownPrivilege 3520 explorer.exe Token: SeCreatePagefilePrivilege 3520 explorer.exe Token: SeShutdownPrivilege 3520 explorer.exe Token: SeCreatePagefilePrivilege 3520 explorer.exe Token: SeShutdownPrivilege 3520 explorer.exe Token: SeCreatePagefilePrivilege 3520 explorer.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe 3520 explorer.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2332 wrote to memory of 408 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 84 PID 2332 wrote to memory of 408 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 84 PID 2332 wrote to memory of 408 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 84 PID 2332 wrote to memory of 644 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 85 PID 2332 wrote to memory of 644 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 85 PID 2332 wrote to memory of 644 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 85 PID 2332 wrote to memory of 3280 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 86 PID 2332 wrote to memory of 3280 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 86 PID 2332 wrote to memory of 3280 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 86 PID 2332 wrote to memory of 2828 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 87 PID 2332 wrote to memory of 2828 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 87 PID 2332 wrote to memory of 2828 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 87 PID 2828 wrote to memory of 4248 2828 cmd.exe 90 PID 2828 wrote to memory of 4248 2828 cmd.exe 90 PID 408 wrote to memory of 4100 408 cmd.exe 91 PID 408 wrote to memory of 4100 408 cmd.exe 91 PID 644 wrote to memory of 732 644 cmd.exe 92 PID 644 wrote to memory of 732 644 cmd.exe 92 PID 3280 wrote to memory of 1768 3280 cmd.exe 93 PID 3280 wrote to memory of 1768 3280 cmd.exe 93 PID 732 wrote to memory of 3604 732 cmd.exe 94 PID 732 wrote to memory of 3604 732 cmd.exe 94 PID 4100 wrote to memory of 4288 4100 cmd.exe 96 PID 4100 wrote to memory of 4288 4100 cmd.exe 96 PID 1768 wrote to memory of 1100 1768 cmd.exe 97 PID 1768 wrote to memory of 1100 1768 cmd.exe 97 PID 4248 wrote to memory of 1104 4248 cmd.exe 95 PID 4248 wrote to memory of 1104 4248 cmd.exe 95 PID 2332 wrote to memory of 4616 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 99 PID 2332 wrote to memory of 4616 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 99 PID 4616 wrote to memory of 3684 4616 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 102 PID 4616 wrote to memory of 3684 4616 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 102 PID 2332 wrote to memory of 732 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 127 PID 2332 wrote to memory of 732 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 127 PID 2332 wrote to memory of 2276 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 128 PID 2332 wrote to memory of 2276 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 128 PID 2332 wrote to memory of 1816 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 129 PID 2332 wrote to memory of 1816 2332 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 129 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:4288
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
PID:3604
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"4⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:1104
-
-
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
PID:732
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
PID:2276
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\C:3⤵PID:1816
-
-
-
C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe\\?\C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -network -skip_misc2⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:3684
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.wehavesolution247
Filesize624KB
MD553867011fb168ecc07bc336d11216bf9
SHA15d0ce3a5c6327675d55fc715b97990bd320fe464
SHA256de2c9ae00abf7280e2db92ec50f1f333be1f4e63e95f966cfe9dc6d975f0a45d
SHA512a1acb0dc9fadc78fb918110f785b403dcfd1e344146f18707678f6c065d1f2b9d053131d5be8191d9a719e9dea59d336fe316d1e9956d81981704790d1c532dd
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD584e48e1d05e4fa126373dcabfb762cde
SHA118b6d468eb8135e04ce661baecb03032d95b9cd6
SHA2567c817ce863ff7d5cb25dbc29d0165cbe942e3d4a4e506cc2177d52210612d4c3
SHA51223b06f736419e0d58bee788c3038bf95ba5c3055eae44c980227f52c2a6a4dc9140de4efe821e74cef4df330a907866a19ed009717a2129bac5dea5345ebe01b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD54b81bcb0986b72b9992b6640e24eadcc
SHA15f3b966c486e14dad07f2976a49308fc5b2ae67a
SHA256e41f0b22edbdc415e3519459a6b232b10350af450944d0be2d0645ba521e7fd1
SHA5124b8a25f3f2705cc3c162d1c3339bbc4aa1fdeeeaac46df8ab7e5229a7185f80f23d4139461cc6386fb7f17309dc535e576f4b2eddc2b723169d6bc25f542dd7f
-
Filesize
14B
MD52c807857a435aa8554d595bd14ed35d1
SHA19003a73beceab3d1b1cd65614347c33117041a95
SHA2563c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA51295c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9
-
Filesize
3KB
MD54acca616db70d1f7444ada9661fb7f77
SHA1b3ef20f26ee3508fa2c7730b45cd828d610faeb6
SHA256a1bfd1b02ceffccec6921cd56e7c37c10ddc413ff14aab88fed3f2c07f428638
SHA512fff3a7d8bc94263ce1ce2b4cefd786233b7fa3b5287f3dc83287a7408390bf23bda303de961cf6fe99105dd55b0d7b4970b80dbdd39cc9d63bb41005e5bd3fdb