Resubmissions
02-12-2024 02:16
241202-cqmawszjeq 1002-12-2024 02:12
241202-cncnnstqcv 1030-11-2024 13:53
241130-q7gnmavrdw 10Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 13:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
-
Size
663KB
-
MD5
7df4d51141b1c657e2c5f78ada3b526a
-
SHA1
d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8
-
SHA256
f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca
-
SHA512
fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a
-
SSDEEP
12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei
Malware Config
Extracted
Path
C:\$Recycle.Bin\READ_NOTE.html
Ransom Note
<div class="tabs1">
<div class="head"><strong>Your personal ID:</strong></div>
<div class="identi"><span style="width: 1000px; color: #ffffff; font-size: 10px;">LMRrn+aS6RE9OVZwuD8MOwIL6wsXmJ7qz/bwdG6+ys5oqPP4914ub/kc1787YMHazf5zoZeUZ7r8IUpujS2FOGhnNEMARGtnPmk91dIwaK4L+mDZ1CBAyOirVfsdnVn4F87OioVOT8FoXv5thmSVmckfTeTm3Fnk7gvBXN+HC1FchICJu1mQy6neF2ulVM6BjIYXroZ5GxH2PJtklKK32R6RYncNBvZkFmKjzYEro9NbJlvnuZ7KNWWqjTyyIHZLq8DkBykGUoLELRGj+dqwkF98+A2lqrShFJsm4sWUJm7APUEAZWOpFoG/w6ybrchUzd9FcScTdXO5/fOZwmfUiw==�</span> <br /> <!-- !!! dont changing this !!! --></div>
</div>
<!-- -->
<div class="tabs"><!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text"><!--text data --> <strong>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</strong><br /> <strong>All your important files have been encrypted!</strong><br /><br /><hr /><span style="text-decoration: underline; background-color: #00ff00;"><em>Your files are safe! Only modified. (RSA+AES)</em></span><br /><br /> <span style="background-color: #00ff00;"><strong>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE</strong></span><br /><span style="background-color: #00ff00;"><strong> WILL PERMANENTLY CORRUPT IT.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT MODIFY ENCRYPTED FILES.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT RENAME ENCRYPTED FILES.</strong></span><br /><br /> No software available on internet can help you. We are the only ones able to<br /> solve your problem.<br /><br /> We gathered highly confidential/personal data. These data are currently stored on<br /> a private server. This server will be immediately destroyed after your payment.<br /> If you decide to not pay, we will release your data to public or re-seller.<br /> So you can expect your data to be publicly available in the near future..<br /><br /> We only seek money and our goal is not to damage your reputation or prevent<br /> your business from running.<br /><br /> You will can send us 2-3 non-important files and we will decrypt it for free<br /> to prove we are able to give your files back.<br /> When you compose a letter, please indicate the <strong>PERSONAL ID</strong> from the beginning of the note, so that we can more specifically approach the formation of conditions for you.<br /> <!--text data --><hr /><strong>Contact us for price and get decryption software.</strong><br /><br /><hr /><strong>email:</strong><br /> <a href="[email protected]">[email protected] </a> <br /> <a href="[email protected]">[email protected] </a> <br /> <strong>OUR TOX:</strong> <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> <br />
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br /> <strong> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</strong><br /></a></p>
<p>*Our site and Tor-chat to always be in touch:</p>
</div>
</div>
</div>
<!--tab--> <strong> <strong><span style="background-color: #00ff00; font-size: 22px;"> <strong> xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion </strong></span><br /><br /> </strong><br /> <!--text data --> </strong></div>
<!--tab-->
Emails
URLs
http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2688 created 1180 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 21 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2860 bcdedit.exe -
Renames multiple (5696) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2276 wbadmin.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\S: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\T: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\N: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\X: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Y: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\A: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\M: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Z: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\H: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\G: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Z: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\J: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\S: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\T: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\W: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\G: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\J: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\X: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\E: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\H: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\L: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\V: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\K: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Y: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\L: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\U: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\V: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\F: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\E: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\B: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\K: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\O: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Q: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\B: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\I: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\P: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\I: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\N: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\W: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\M: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\O: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\Q: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\R: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\P: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened (read-only) \??\U: f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org 9 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\output.bmp" f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTL.ICO f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Windows Photo Viewer\es-ES\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\VideoLAN\VLC\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SEARCH.GIF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginReport.Dotx f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\drag.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0221903.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00685_.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08808_.WMF f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\bootstat.dat f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\mib.bin f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\Ultimate.xml f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File created C:\Windows\READ_NOTE.html f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\Starter.xml f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe File opened for modification C:\Windows\WMSysPr9.prx f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1924 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1640 WMIC.exe Token: SeSecurityPrivilege 1640 WMIC.exe Token: SeTakeOwnershipPrivilege 1640 WMIC.exe Token: SeLoadDriverPrivilege 1640 WMIC.exe Token: SeSystemProfilePrivilege 1640 WMIC.exe Token: SeSystemtimePrivilege 1640 WMIC.exe Token: SeProfSingleProcessPrivilege 1640 WMIC.exe Token: SeIncBasePriorityPrivilege 1640 WMIC.exe Token: SeCreatePagefilePrivilege 1640 WMIC.exe Token: SeBackupPrivilege 1640 WMIC.exe Token: SeRestorePrivilege 1640 WMIC.exe Token: SeShutdownPrivilege 1640 WMIC.exe Token: SeDebugPrivilege 1640 WMIC.exe Token: SeSystemEnvironmentPrivilege 1640 WMIC.exe Token: SeRemoteShutdownPrivilege 1640 WMIC.exe Token: SeUndockPrivilege 1640 WMIC.exe Token: SeManageVolumePrivilege 1640 WMIC.exe Token: 33 1640 WMIC.exe Token: 34 1640 WMIC.exe Token: 35 1640 WMIC.exe Token: SeBackupPrivilege 1708 vssvc.exe Token: SeRestorePrivilege 1708 vssvc.exe Token: SeAuditPrivilege 1708 vssvc.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2708 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 32 PID 2688 wrote to memory of 2708 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 32 PID 2688 wrote to memory of 2708 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 32 PID 2688 wrote to memory of 2708 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 32 PID 2688 wrote to memory of 1404 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 33 PID 2688 wrote to memory of 1404 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 33 PID 2688 wrote to memory of 1404 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 33 PID 2688 wrote to memory of 1404 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 33 PID 2688 wrote to memory of 2596 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 34 PID 2688 wrote to memory of 2596 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 34 PID 2688 wrote to memory of 2596 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 34 PID 2688 wrote to memory of 2596 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 34 PID 2688 wrote to memory of 2656 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 35 PID 2688 wrote to memory of 2656 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 35 PID 2688 wrote to memory of 2656 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 35 PID 2688 wrote to memory of 2656 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 35 PID 2688 wrote to memory of 2544 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 36 PID 2688 wrote to memory of 2544 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 36 PID 2688 wrote to memory of 2544 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 36 PID 1404 wrote to memory of 2584 1404 cmd.exe 37 PID 1404 wrote to memory of 2584 1404 cmd.exe 37 PID 1404 wrote to memory of 2584 1404 cmd.exe 37 PID 1404 wrote to memory of 2584 1404 cmd.exe 37 PID 2708 wrote to memory of 2592 2708 cmd.exe 38 PID 2708 wrote to memory of 2592 2708 cmd.exe 38 PID 2708 wrote to memory of 2592 2708 cmd.exe 38 PID 2708 wrote to memory of 2592 2708 cmd.exe 38 PID 2596 wrote to memory of 2620 2596 cmd.exe 39 PID 2596 wrote to memory of 2620 2596 cmd.exe 39 PID 2596 wrote to memory of 2620 2596 cmd.exe 39 PID 2596 wrote to memory of 2620 2596 cmd.exe 39 PID 2656 wrote to memory of 2600 2656 cmd.exe 41 PID 2656 wrote to memory of 2600 2656 cmd.exe 41 PID 2656 wrote to memory of 2600 2656 cmd.exe 41 PID 2656 wrote to memory of 2600 2656 cmd.exe 41 PID 2592 wrote to memory of 1924 2592 cmd.exe 42 PID 2592 wrote to memory of 1924 2592 cmd.exe 42 PID 2592 wrote to memory of 1924 2592 cmd.exe 42 PID 2584 wrote to memory of 2276 2584 cmd.exe 43 PID 2584 wrote to memory of 2276 2584 cmd.exe 43 PID 2584 wrote to memory of 2276 2584 cmd.exe 43 PID 2620 wrote to memory of 1640 2620 cmd.exe 44 PID 2620 wrote to memory of 1640 2620 cmd.exe 44 PID 2620 wrote to memory of 1640 2620 cmd.exe 44 PID 2600 wrote to memory of 2860 2600 cmd.exe 45 PID 2600 wrote to memory of 2860 2600 cmd.exe 45 PID 2600 wrote to memory of 2860 2600 cmd.exe 45 PID 2544 wrote to memory of 1464 2544 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 48 PID 2544 wrote to memory of 1464 2544 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 48 PID 2544 wrote to memory of 1464 2544 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 48 PID 2688 wrote to memory of 2112 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 51 PID 2688 wrote to memory of 2112 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 51 PID 2688 wrote to memory of 2112 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 51 PID 2688 wrote to memory of 2120 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 52 PID 2688 wrote to memory of 2120 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 52 PID 2688 wrote to memory of 2120 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 52 PID 2688 wrote to memory of 1556 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 50 PID 2688 wrote to memory of 1556 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 50 PID 2688 wrote to memory of 1556 2688 f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe 50 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1924
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
PID:2276
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"4⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:2860
-
-
-
-
C:\Windows\system32\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
PID:1556
-
-
C:\Windows\system32\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
PID:2112
-
-
C:\Windows\system32\cipher.execipher /w:\\?\C:3⤵PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe\\?\C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -network -skip_misc2⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:1464
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5be4a5ed00ffb996c4942c03742c27f34
SHA102c25e478112fc60edfd956680fbaa59940d8970
SHA25647f45b15a970cb5e6e991c239fec5c87fbfe19686fd7746c5ac8403a71a04691
SHA512801f1b4a6597a3f20adaf2db4ea70b638306c272fa7d1779ee13e52f50a9eb12ce884382025dc500722840ee7d7354fcc03c5c376bd7204f621085d4bf8c3b90
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD531de7857ce7d2a9ba0b7623a04a49f62
SHA1a4002d86c4a7d236a22e0733371c46c5c08dbf7e
SHA25613fabd0b88257c992bc29cb36e8040a812e3da516f0f11b6cf26d91111d69e78
SHA5129f1bc3c5f268fe53704af919aa6a12de828a52326ac496de743fd6cd833fec617fb4e19b2e956a8a34ca17e7d29203605db62d793ef0f804441becab1d5ed92e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e6405061cb18e40276017d26c9b92fa
SHA138d3d43a338fd36323ebbf006b06dd0c946d92af
SHA25684ee2d2c19ad1fc70ff4db1b9e39011e9285df3a1e8725aa634c28b46bf5b0f1
SHA5127d92a75e1ed56b9a9252ce681e5877b6d639c6c25188dd141139899575f095c6daeac584379f7c2f4925b759f531ac7c2a72d0c4839ced50ba4020894865344c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD523ef7d0cc5993735f8d7b3efdee9bf1f
SHA1c7a5c74cec8340a3766e7490dd1cc234bec9dffe
SHA2565f0e5af22ce242d5aad9cb29e53955f38f3cf3d1fb3a548015f4e439ef558d69
SHA51270f3fd78acd4b87dfd4bfc3112f824d06cd179d1bf9010667a37e4fb0ae412edd7fe08ac0556f947fac6cec161a8c166ef30d238aea072afa77955e5839daf17
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
14B
MD52c807857a435aa8554d595bd14ed35d1
SHA19003a73beceab3d1b1cd65614347c33117041a95
SHA2563c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA51295c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9