e31d56289c1957053630383ff71959cba08521874410bd78e46680788490e9cd

Resubmissions

02-12-2024 02:16

241202-cqmawszjeq 10

02-12-2024 02:12

241202-cncnnstqcv 10

30-11-2024 13:53

241130-q7gnmavrdw 10

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Size

663KB
MD5

7df4d51141b1c657e2c5f78ada3b526a
SHA1

d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8
SHA256

f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca
SHA512

fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a
SSDEEP

12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\READ_NOTE.html

Ransom Note

<div class="tabs1"> <div class="head">Your personal ID:</div> <div class="identi">eheRHtewLvCt6Ahe9UdL1EOmhpaktq0y0ia4zbY20Z2SFeziEzbYBclBFDH6DW+aNtzbP3MnOmlLkiaxrWYKlHz/xw0uUve1LZoNLzc4nFHBrNvK4dlzZGYOgvGIEdLWrEQyRU7qcgNUPI338ZKuEMFkdzMJg9wCLFzE4fTPcVeFeamHyb00AZqunampaBhav3V7hs8Ls+8OxpYDMbacum28svYH0SRsD+dKCu37r1dwekqUy9c+ImLA/uw9Rou3VYvMOBNTFc8gg9bayhnK8WFB9dEA/mpHKKkupjrjLk4ot6tDHc/nmFmfI07UhV7ywLrw68N7rDwYFeOz4MwCNw==� </div> </div>  <div class="tabs"> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! <hr />Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. When you compose a letter, please indicate the PERSONAL ID from the beginning of the note, so that we can more specifically approach the formation of conditions for you. <hr />Contact us for price and get decryption software. <hr />email: <a href="[email protected]">[email protected] </a> <a href="[email protected]">[email protected] </a> OUR TOX: <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> * To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </a> *Our site and Tor-chat to always be in touch: </div> </div> </div>  xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion  </div>

Emails

href="[email protected]">[email protected]

URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3724 created 3396	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	56

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3416	bcdedit.exe

Renames multiple (5290) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4424	wbadmin.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\B:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\V:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Z:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\H:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\V:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Y:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\A:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\N:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\O:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Q:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\E:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\W:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\F:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\G:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\R:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\B:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\M:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\U:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\J:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\I:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\L:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\T:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\G:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\I:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\R:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\H:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\W:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\X:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Q:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\X:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Z:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\S:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\T:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\K:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\P:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\S:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\U:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Y:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\O:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\P:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\E:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\M:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\J:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\K:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\L:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\N:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
14	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\output.bmp"	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-300.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleUtilRT.winmd	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Helper.winmd	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Google\Update\Install\{86586A1C-7EEC-4BB2-AD86-7C1FB3D0D811}\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELM	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter_dark.css	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-200.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-150.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\es-419_get.svg	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsCoreBackgroundImage.jpg	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-200.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.ps1	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-100.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main.css	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256_altform-unplated.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionPage.xbf	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.targetsize-48_altform-unplated.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\bootstat.dat	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\mib.bin	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\Professional.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\WMSysPr9.prx	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4996	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{127FB21B-7FCB-4ACE-8A3C-64588F6A91CB}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3388	WMIC.exe
Token: SeSecurityPrivilege	3388	WMIC.exe
Token: SeTakeOwnershipPrivilege	3388	WMIC.exe
Token: SeLoadDriverPrivilege	3388	WMIC.exe
Token: SeSystemProfilePrivilege	3388	WMIC.exe
Token: SeSystemtimePrivilege	3388	WMIC.exe
Token: SeProfSingleProcessPrivilege	3388	WMIC.exe
Token: SeIncBasePriorityPrivilege	3388	WMIC.exe
Token: SeCreatePagefilePrivilege	3388	WMIC.exe
Token: SeBackupPrivilege	3388	WMIC.exe
Token: SeRestorePrivilege	3388	WMIC.exe
Token: SeShutdownPrivilege	3388	WMIC.exe
Token: SeDebugPrivilege	3388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3388	WMIC.exe
Token: SeRemoteShutdownPrivilege	3388	WMIC.exe
Token: SeUndockPrivilege	3388	WMIC.exe
Token: SeManageVolumePrivilege	3388	WMIC.exe
Token: 33	3388	WMIC.exe
Token: 34	3388	WMIC.exe
Token: 35	3388	WMIC.exe
Token: 36	3388	WMIC.exe
Token: SeBackupPrivilege	3360	vssvc.exe
Token: SeRestorePrivilege	3360	vssvc.exe
Token: SeAuditPrivilege	3360	vssvc.exe
Token: SeShutdownPrivilege	4896	explorer.exe
Token: SeCreatePagefilePrivilege	4896	explorer.exe
Token: SeShutdownPrivilege	4896	explorer.exe
Token: SeCreatePagefilePrivilege	4896	explorer.exe
Token: SeShutdownPrivilege	4896	explorer.exe
Token: SeCreatePagefilePrivilege	4896	explorer.exe
Token: SeShutdownPrivilege	4896	explorer.exe
Token: SeCreatePagefilePrivilege	4896	explorer.exe
Token: SeShutdownPrivilege	4896	explorer.exe
Token: SeCreatePagefilePrivilege	4896	explorer.exe
Token: SeShutdownPrivilege	4896	explorer.exe
Token: SeCreatePagefilePrivilege	4896	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe
4896	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 2328	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	83
PID 3724 wrote to memory of 2328	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	83
PID 3724 wrote to memory of 2328	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	83
PID 3724 wrote to memory of 3560	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	84
PID 3724 wrote to memory of 3560	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	84
PID 3724 wrote to memory of 3560	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	84
PID 3724 wrote to memory of 4164	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	85
PID 3724 wrote to memory of 4164	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	85
PID 3724 wrote to memory of 4164	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	85
PID 3724 wrote to memory of 3584	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	86
PID 3724 wrote to memory of 3584	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	86
PID 3724 wrote to memory of 3584	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	86
PID 4164 wrote to memory of 5056	4164	cmd.exe	87
PID 4164 wrote to memory of 5056	4164	cmd.exe	87
PID 2328 wrote to memory of 2608	2328	cmd.exe	88
PID 2328 wrote to memory of 2608	2328	cmd.exe	88
PID 3584 wrote to memory of 1776	3584	cmd.exe	89
PID 3584 wrote to memory of 1776	3584	cmd.exe	89
PID 3560 wrote to memory of 1404	3560	cmd.exe	92
PID 3560 wrote to memory of 1404	3560	cmd.exe	92
PID 5056 wrote to memory of 3388	5056	cmd.exe	94
PID 5056 wrote to memory of 3388	5056	cmd.exe	94
PID 1404 wrote to memory of 4424	1404	cmd.exe	93
PID 1404 wrote to memory of 4424	1404	cmd.exe	93
PID 1776 wrote to memory of 3416	1776	cmd.exe	95
PID 1776 wrote to memory of 3416	1776	cmd.exe	95
PID 2608 wrote to memory of 4996	2608	cmd.exe	96
PID 2608 wrote to memory of 4996	2608	cmd.exe	96
PID 3724 wrote to memory of 3344	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	97
PID 3724 wrote to memory of 3344	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	97
PID 3344 wrote to memory of 4276	3344	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	101
PID 3344 wrote to memory of 4276	3344	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	101
PID 3724 wrote to memory of 5100	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	117
PID 3724 wrote to memory of 5100	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	117
PID 3724 wrote to memory of 4328	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	118
PID 3724 wrote to memory of 4328	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	118
PID 3724 wrote to memory of 384	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	119
PID 3724 wrote to memory of 384	3724	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
  "C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3416
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:5100
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:4328
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:384
- C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -network -skip_misc
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:4276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.wehavesolution247

Filesize
624KB

MD5
808d194130c49031f01beceee26e13a3

SHA1
dc95236fcd109e9cf3cf6a2987d5aa8abe1eb807

SHA256
ea7174ee1933d6519935c18b288a5d61b8d0fe5c08acc23500cf3c29295f111b

SHA512
f68ba1e0f3202e880b2fd8089775e89c038eabec3289c9c9de70dbb6bd89ee68b6402f927b3f64184ebc581657a4a5f5764c317bd63a97b28dc7828f802faa21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
c66c1f6c02e6202a732294ca70560ae9

SHA1
3c4b22263354637ee5961dab2af50e4d6be551d0

SHA256
35e573ff7fd95acb895817925b80ec478ef0e99620f0580df7550ab5ce3fff48

SHA512
1b5e157077613d6fa2a5c1d1f424a264c633a3b74aa1c18ccbc415a69f0cbff5ec0788b637864443a333bf913b311105ddcf563f84f93adaa2b8a1e9de250ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
aa15fd6e58aaf8fcdc87a1cdb24545d0

SHA1
2bb1feb674601793ceeabf041127ae33616a270f

SHA256
f1cddc32787b0fd4fc9c7b9aa70ed67e3850a92398ddb8360e968b2159ef72ed

SHA512
0471117b911c7f61e16bb4bc8afe742913d713be8670e3b2f4fe0a084acdb3c37113781cd728a39b67f307be589278098ac98b3e12b089373d93f6083e1372d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\external_ip.wehavesolution247

Filesize
14B

MD5
2c807857a435aa8554d595bd14ed35d1

SHA1
9003a73beceab3d1b1cd65614347c33117041a95

SHA256
3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b

SHA512
95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

Download Submit
\Device\HarddiskVolume1\READ_NOTE.html

Filesize
3KB

MD5
f05ad2083fbbdf1e9e1e973e0dcbf3e2

SHA1
6d392b8867feac77fd00f13aed37011ec1bc7b36

SHA256
6cc8e84cc15f4b6424cd624ff316de2e198ac647726dbda3bc1a645925a8b4a1

SHA512
0d43f35caabf91d495731daaeb3afcc43b5a5492c2d97ac203537d2d0fc8c23130c72f8c74c8efa9be4ad1246e85ff1e590483c2c7777f4c7056580aa0665fab

Download Submit