e31d56289c1957053630383ff71959cba08521874410bd78e46680788490e9cd

Resubmissions

02-12-2024 02:16

241202-cqmawszjeq 10

02-12-2024 02:12

241202-cncnnstqcv 10

30-11-2024 13:53

241130-q7gnmavrdw 10

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Size

663KB
MD5

7df4d51141b1c657e2c5f78ada3b526a
SHA1

d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8
SHA256

f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca
SHA512

fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a
SSDEEP

12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\READ_NOTE.html

Ransom Note

<div class="tabs1"> <div class="head">Your personal ID:</div> <div class="identi">F4VdZVFw3H6Y7UpoC7JQA1a4f9h0KdnEBQIhhcxC4vLnb7PjwIqZqXQ2Z6YYbYlQhU/FwXFJkj3NuzcwD8/6Ri/c273u09sjsaK8TwG4ED77P+pebaMpwFf+9ykcbgEwtkiyS3eaxQtAF1Fc9kzKnFh46XYl4p3jtv+w8BrlgHYG191VDIMkHH1NzPjcwBV8ow8XHqXzfpa5EcUeWUAIfQVdgI2wTnwkYCFiYKUu3nY+qXLDjuCBVqOlFgyA+7wvsxrisLRyfQE+czBHHYtdV0J2SZRZmqiZpx7HZ8ionmzuDNECpVq0YH6cUxmsHryI+/rNRByY5UOPmNjImOfYfg==� </div> </div>  <div class="tabs"> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! <hr />Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. When you compose a letter, please indicate the PERSONAL ID from the beginning of the note, so that we can more specifically approach the formation of conditions for you. <hr />Contact us for price and get decryption software. <hr />email: <a href="[email protected]">[email protected] </a> <a href="[email protected]">[email protected] </a> OUR TOX: <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> * To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </a> *Our site and Tor-chat to always be in touch: </div> </div> </div>  xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion  </div>

Emails

href="[email protected]">[email protected]

URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2324 created 3464	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	56

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4220	bcdedit.exe

Renames multiple (5290) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1224	wbadmin.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\P:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\G:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\T:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\S:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\B:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\S:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Y:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Z:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\J:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\L:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\O:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\G:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\H:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\T:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\B:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\E:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\N:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\R:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\R:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\W:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\F:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\L:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\W:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\U:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Z:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\J:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\O:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Q:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\M:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\X:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\P:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\V:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Y:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\E:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\V:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\H:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\K:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\N:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\I:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Q:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\A:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\I:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\K:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\U:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\X:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org
14	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\output.bmp"	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\LargeTile.scale-125.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\MemMDL2.1.85.ttf	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\SyncExit.midi	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\3DViewerProductDescription-universal.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mt.pak.DATA	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-400.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-200.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-light.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125_contrast-black.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-white_scale-125.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\bootstat.dat	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\mib.bin	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\Professional.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\WMSysPr9.prx	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3164	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{DD764939-4916-4BA7-9325-565806D7E295}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4972	WMIC.exe
Token: SeSecurityPrivilege	4972	WMIC.exe
Token: SeTakeOwnershipPrivilege	4972	WMIC.exe
Token: SeLoadDriverPrivilege	4972	WMIC.exe
Token: SeSystemProfilePrivilege	4972	WMIC.exe
Token: SeSystemtimePrivilege	4972	WMIC.exe
Token: SeProfSingleProcessPrivilege	4972	WMIC.exe
Token: SeIncBasePriorityPrivilege	4972	WMIC.exe
Token: SeCreatePagefilePrivilege	4972	WMIC.exe
Token: SeBackupPrivilege	4972	WMIC.exe
Token: SeRestorePrivilege	4972	WMIC.exe
Token: SeShutdownPrivilege	4972	WMIC.exe
Token: SeDebugPrivilege	4972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4972	WMIC.exe
Token: SeRemoteShutdownPrivilege	4972	WMIC.exe
Token: SeUndockPrivilege	4972	WMIC.exe
Token: SeManageVolumePrivilege	4972	WMIC.exe
Token: 33	4972	WMIC.exe
Token: 34	4972	WMIC.exe
Token: 35	4972	WMIC.exe
Token: 36	4972	WMIC.exe
Token: SeBackupPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	2356	vssvc.exe
Token: SeAuditPrivilege	2356	vssvc.exe
Token: SeShutdownPrivilege	1716	explorer.exe
Token: SeCreatePagefilePrivilege	1716	explorer.exe
Token: SeShutdownPrivilege	1716	explorer.exe
Token: SeCreatePagefilePrivilege	1716	explorer.exe
Token: SeShutdownPrivilege	1716	explorer.exe
Token: SeCreatePagefilePrivilege	1716	explorer.exe
Token: SeShutdownPrivilege	1716	explorer.exe
Token: SeCreatePagefilePrivilege	1716	explorer.exe
Token: SeShutdownPrivilege	1716	explorer.exe
Token: SeCreatePagefilePrivilege	1716	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe
1716	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1200	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	84
PID 2324 wrote to memory of 1200	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	84
PID 2324 wrote to memory of 1200	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	84
PID 2324 wrote to memory of 3720	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	85
PID 2324 wrote to memory of 3720	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	85
PID 2324 wrote to memory of 3720	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	85
PID 2324 wrote to memory of 2232	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	86
PID 2324 wrote to memory of 2232	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	86
PID 2324 wrote to memory of 2232	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	86
PID 2324 wrote to memory of 4908	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	87
PID 2324 wrote to memory of 4908	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	87
PID 2324 wrote to memory of 4908	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	87
PID 4908 wrote to memory of 5000	4908	cmd.exe	88
PID 4908 wrote to memory of 5000	4908	cmd.exe	88
PID 3720 wrote to memory of 1576	3720	cmd.exe	91
PID 3720 wrote to memory of 1576	3720	cmd.exe	91
PID 1200 wrote to memory of 4776	1200	cmd.exe	92
PID 1200 wrote to memory of 4776	1200	cmd.exe	92
PID 5000 wrote to memory of 4220	5000	cmd.exe	94
PID 5000 wrote to memory of 4220	5000	cmd.exe	94
PID 2232 wrote to memory of 4296	2232	cmd.exe	93
PID 2232 wrote to memory of 4296	2232	cmd.exe	93
PID 4296 wrote to memory of 4972	4296	cmd.exe	96
PID 4296 wrote to memory of 4972	4296	cmd.exe	96
PID 1576 wrote to memory of 1224	1576	cmd.exe	95
PID 1576 wrote to memory of 1224	1576	cmd.exe	95
PID 4776 wrote to memory of 3164	4776	cmd.exe	97
PID 4776 wrote to memory of 3164	4776	cmd.exe	97
PID 2324 wrote to memory of 1324	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	99
PID 2324 wrote to memory of 1324	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	99
PID 1324 wrote to memory of 3708	1324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	102
PID 1324 wrote to memory of 3708	1324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	102
PID 2324 wrote to memory of 4724	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	127
PID 2324 wrote to memory of 4724	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	127
PID 2324 wrote to memory of 780	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	128
PID 2324 wrote to memory of 780	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	128
PID 2324 wrote to memory of 2840	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	126
PID 2324 wrote to memory of 2840	2324	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
  "C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4220
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:2840
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:4724
- - C:\Windows\SYSTEM32\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:780
- C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -network -skip_misc
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:3708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.wehavesolution247

Filesize
624KB

MD5
2b9917314fe1c09d89b5196b1bd5045a

SHA1
ccb08f33a7d208b089013ff9360ccf12c1ebd1c9

SHA256
1231522f5ea671cf1830000364977fcc2ee257467657f627c49e92d89bf5c34a

SHA512
73ea0a551b77022c74e59afbeac84881ccb1586a303e14b2c4f6c2ace9068ca2fabfb1409d2e68bd22a48d51a0d7b8c09c5b3b2ad2a3ca54aabeb78672d769ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ba87616c9165e5b753133051ab2f6810

SHA1
c9b4e93f4bbe9b546b83381d723d1c78b9ed58fb

SHA256
06662386b4c8d16296c7971e91eca89d789e7d410e25b13d92ac9c94f3e7fd31

SHA512
8d4acf37da7fef7801778a04eedcf87942990743a811bb8f77284890802ef8f260b7ff0ebdc98a684c468fdcb5924c8370e2217f1a3370d8d4ba4e46e5c6e814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
64526516b19257e1b05207a6dc0cc31f

SHA1
772c6ce507dac834305d2c64f6c45663308614c5

SHA256
885dc19c5348636f0b700eb4ab46f107c7d7b8243ef1249bb65dd265096e2b67

SHA512
61c5e9ba127233b7696ef1695085addaaa6a350bf876e61c48c48c9792b42b4c6345a1e0c09a85d06894189a1ddde279419b5f3c630acdb836f44aa2cb257829

Download Submit
C:\Users\Admin\AppData\Local\Temp\external_ip.wehavesolution247

Filesize
14B

MD5
2c807857a435aa8554d595bd14ed35d1

SHA1
9003a73beceab3d1b1cd65614347c33117041a95

SHA256
3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b

SHA512
95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

Download Submit
F:\$RECYCLE.BIN\READ_NOTE.html

Filesize
3KB

MD5
d513f2e40ca1bc30ee55ab5499ebcba8

SHA1
9e3bf7be8acb24942adcdc6e53c382fb21aa4df6

SHA256
4711d5e588f37806c4c66b27d912c0123bcc0189fb49b58cf8f950e97445b127

SHA512
20369d01dce96ee0d72ae3e4e82d969046c3d8945ce2eb708fedc1af834ba5d33572ce7b0838b4275251fd537fd5cacc395290c541aeb05b78b3fd89f73c1da8

Download Submit