dragonforce | 0bb6cd17a093600f262fdf5a559d26958682b89bdcf35bb69d3bfb3116f88f4d

Analysis

max time kernel
140s
max time network
71s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Size

465KB
MD5

15634dc79981e7fba25fb8530cedb981
SHA1

a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
SHA256

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
SHA512

daa63d5a3a948f4416d61eb4bf086f8cc921f24187ffcdb406751cc8102114f826957a249830e28220a3c73e11388706152851106794529541e1e2020d695ece
SSDEEP

12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCfS9dQ104wdV8FImT5XqiS

Score

10^/10

dragonforce credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: C2856ADC257746636B68C8795113B630 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01749_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN054.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18204_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR38F.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01146_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jre7\lib\rt.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182902.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14869_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14985_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e0044004100540000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 350d538548f3c4ac19df7416eb12d343436fd41d9f27d161e4ad61daae8beec6	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004f006600660069006300650053006f00660074007700610072006500500072006f00740065006300740069006f006e0050006c006100740066006f0072006d005c0074006f006b0065006e0073002e0064006100740000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 642617548a111aaf462607463fa7c346a7a2c5adb37f16cfe93621e9388a761d	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e586f52a616186ffabefeda0b42cf60a9a46f1f61a947b151f98f053c29914a8	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "2"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e13e89471241db61d2c1790ad01ab4ec280570ecd0273157d9fccbe065ab8dcb	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8dfc789f4ed2e8580c31f7392eeafed80410390d46deb5bd226ba8f118fe2891	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 8408000070005c46cb44db01	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8b3b1f6f4f3539f84a6eaa62ce39bec8623c465ceafc1053ae7a36b81225b680	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f1b8b2dea67a724a6f8be1e77c944d128ce0aa90e5d5cbb15e9da934d2da6264	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 0ae3a5c8d5adf45cea3637af758c9c3d1abeadf5b9e5f435d8fad4f63fb3ca1a	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004e006500740077006f0072006b005c0044006f0077006e006c006f0061006400650072005c0071006d006700720030002e0064006100740000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = ad9215f344bec52618f32d9b2fb3ffa3580d0f9e0a8105f2d36f3aebc1b520ed	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cf94fe4fbfba3c6d42ba21dbdaf8cd346cb2a67e93e1255835db9dc7e3689190	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a3a14f6178923562d255fb9aef596ab91451c5a2d94171d56be4c6a7b5dff30d	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f6da5a82cb53803ac1d133040dd398e8bf3fef7fc28b34f88b524b87ec22aab9	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 37410c3b88b16339b043e528a1bff245c515573c853020888fbc6ce9d8635220	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b054a052efdc594dec86b2707a92435dd9f8d015d2e1c149e52a6013d5e2d1c7	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 49cc993176bf4d57bde14fa64f3e0670eb9b924983e163474f0bfce1f71cf7c2	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0be5d66156c74e971b45937e253ab18c178dd571115a20f6210f7dd29593a5fb	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d002000460069006c00650073005c0043006f006d006d006f006e002000460069006c00650073005c004d006900630072006f0073006f006600740020005300680061007200650064005c004f0046004600490043004500310034005c00430075006c00740075007200650073005c004f00460046004900430045002e004f004400460000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 67ea689f284d2cf4683e45f2ed27921b3d4de9cb33be2aa919a1f327090a271e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 13e49ac393d0ee733b2bb1c425a7779d7823e91e5fca51565a92e51d10d4c127	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
1096	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1028	vssvc.exe
Token: SeRestorePrivilege	1028	vssvc.exe
Token: SeAuditPrivilege	1028	vssvc.exe
Token: SeCreateTokenPrivilege	2748	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 31	2748	WMIC.exe
Token: 32	2748	WMIC.exe
Token: SeCreateTokenPrivilege	2748	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 31	2748	WMIC.exe
Token: 32	2748	WMIC.exe
Token: SeCreateTokenPrivilege	2644	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2644	WMIC.exe
Token: SeSecurityPrivilege	2644	WMIC.exe
Token: SeTakeOwnershipPrivilege	2644	WMIC.exe
Token: SeLoadDriverPrivilege	2644	WMIC.exe
Token: SeSystemtimePrivilege	2644	WMIC.exe
Token: SeBackupPrivilege	2644	WMIC.exe
Token: SeRestorePrivilege	2644	WMIC.exe
Token: SeShutdownPrivilege	2644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2644	WMIC.exe
Token: SeUndockPrivilege	2644	WMIC.exe
Token: SeManageVolumePrivilege	2644	WMIC.exe
Token: 31	2644	WMIC.exe
Token: 32	2644	WMIC.exe
Token: SeCreateTokenPrivilege	2644	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2644	WMIC.exe
Token: SeSecurityPrivilege	2644	WMIC.exe
Token: SeTakeOwnershipPrivilege	2644	WMIC.exe
Token: SeLoadDriverPrivilege	2644	WMIC.exe
Token: SeSystemtimePrivilege	2644	WMIC.exe
Token: SeBackupPrivilege	2644	WMIC.exe
Token: SeRestorePrivilege	2644	WMIC.exe
Token: SeShutdownPrivilege	2644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2644	WMIC.exe
Token: SeUndockPrivilege	2644	WMIC.exe
Token: SeManageVolumePrivilege	2644	WMIC.exe
Token: 31	2644	WMIC.exe
Token: 32	2644	WMIC.exe
Token: SeCreateTokenPrivilege	2728	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1704	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2984	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 2180 wrote to memory of 2984	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 2180 wrote to memory of 2984	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 2180 wrote to memory of 2984	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 2984 wrote to memory of 2748	2984	cmd.exe	36
PID 2984 wrote to memory of 2748	2984	cmd.exe	36
PID 2984 wrote to memory of 2748	2984	cmd.exe	36
PID 2180 wrote to memory of 2780	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 2180 wrote to memory of 2780	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 2180 wrote to memory of 2780	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 2180 wrote to memory of 2780	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 2780 wrote to memory of 2644	2780	cmd.exe	39
PID 2780 wrote to memory of 2644	2780	cmd.exe	39
PID 2780 wrote to memory of 2644	2780	cmd.exe	39
PID 2180 wrote to memory of 2784	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 2180 wrote to memory of 2784	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 2180 wrote to memory of 2784	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 2180 wrote to memory of 2784	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 2784 wrote to memory of 2728	2784	cmd.exe	42
PID 2784 wrote to memory of 2728	2784	cmd.exe	42
PID 2784 wrote to memory of 2728	2784	cmd.exe	42
PID 2180 wrote to memory of 2636	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 2180 wrote to memory of 2636	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 2180 wrote to memory of 2636	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 2180 wrote to memory of 2636	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 2636 wrote to memory of 2692	2636	cmd.exe	45
PID 2636 wrote to memory of 2692	2636	cmd.exe	45
PID 2636 wrote to memory of 2692	2636	cmd.exe	45
PID 2180 wrote to memory of 3056	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 2180 wrote to memory of 3056	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 2180 wrote to memory of 3056	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 2180 wrote to memory of 3056	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 3056 wrote to memory of 580	3056	cmd.exe	48
PID 3056 wrote to memory of 580	3056	cmd.exe	48
PID 3056 wrote to memory of 580	3056	cmd.exe	48
PID 2180 wrote to memory of 2028	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 2180 wrote to memory of 2028	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 2180 wrote to memory of 2028	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 2180 wrote to memory of 2028	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 2028 wrote to memory of 1200	2028	cmd.exe	51
PID 2028 wrote to memory of 1200	2028	cmd.exe	51
PID 2028 wrote to memory of 1200	2028	cmd.exe	51
PID 2180 wrote to memory of 1300	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 2180 wrote to memory of 1300	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 2180 wrote to memory of 1300	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 2180 wrote to memory of 1300	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 1300 wrote to memory of 1944	1300	cmd.exe	54
PID 1300 wrote to memory of 1944	1300	cmd.exe	54
PID 1300 wrote to memory of 1944	1300	cmd.exe	54
PID 2180 wrote to memory of 2440	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 2180 wrote to memory of 2440	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 2180 wrote to memory of 2440	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 2180 wrote to memory of 2440	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 2440 wrote to memory of 1880	2440	cmd.exe	57
PID 2440 wrote to memory of 1880	2440	cmd.exe	57
PID 2440 wrote to memory of 1880	2440	cmd.exe	57
PID 2180 wrote to memory of 2016	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 2180 wrote to memory of 2016	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 2180 wrote to memory of 2016	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 2180 wrote to memory of 2016	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 2016 wrote to memory of 1056	2016	cmd.exe	60
PID 2016 wrote to memory of 1056	2016	cmd.exe	60
PID 2016 wrote to memory of 1056	2016	cmd.exe	60
PID 2180 wrote to memory of 2040	2180	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908
- C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
  "C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8B17145-7F63-4C9F-B88B-CAD2D9F7949D}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8B17145-7F63-4C9F-B88B-CAD2D9F7949D}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2748
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4BD09E8-AC1D-4F60-97E8-3EB7A82DEBD9}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4BD09E8-AC1D-4F60-97E8-3EB7A82DEBD9}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B61F1B9-0076-4B4E-A4A8-0C347AF4BCC7}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B61F1B9-0076-4B4E-A4A8-0C347AF4BCC7}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C70BB53C-D749-4A61-B498-87943061C142}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C70BB53C-D749-4A61-B498-87943061C142}'" delete
      4⤵
      PID:2692
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{183E609F-4DAA-41DD-84CD-3F218272416B}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{183E609F-4DAA-41DD-84CD-3F218272416B}'" delete
      4⤵
      PID:580
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5998CC-29C3-40EE-A979-4F596B94F64B}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5998CC-29C3-40EE-A979-4F596B94F64B}'" delete
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A4D0AB3-B5FC-4EFF-B663-8E360E15C406}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A4D0AB3-B5FC-4EFF-B663-8E360E15C406}'" delete
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5CB54C4-14EA-429A-A427-02197A1B53AD}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5CB54C4-14EA-429A-A427-02197A1B53AD}'" delete
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DBEC09BD-E3B2-473B-9ED5-0DFB50A9C4EA}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DBEC09BD-E3B2-473B-9ED5-0DFB50A9C4EA}'" delete
      4⤵
      PID:1056
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CFAA339D-ABBB-4A2F-A043-3EEA040766D3}'" delete
    3⤵
    PID:2040
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CFAA339D-ABBB-4A2F-A043-3EEA040766D3}'" delete
      4⤵
      PID:1516
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B682E805-210F-4EC4-AE05-165F6083B72A}'" delete
    3⤵
    PID:2956
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B682E805-210F-4EC4-AE05-165F6083B72A}'" delete
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DEC64B2A-68AD-4DF7-9CCC-F11FDA0D2B80}'" delete
    3⤵
    PID:2288
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DEC64B2A-68AD-4DF7-9CCC-F11FDA0D2B80}'" delete
      4⤵
      PID:2456
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C56E56F4-F055-4CC0-AAE2-F9530678124E}'" delete
    3⤵
    PID:2304
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C56E56F4-F055-4CC0-AAE2-F9530678124E}'" delete
      4⤵
      PID:2284
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D580416-48DD-41A5-843C-EEAB9F3D637D}'" delete
    3⤵
    PID:2452
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D580416-48DD-41A5-843C-EEAB9F3D637D}'" delete
      4⤵
      PID:1128
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91E11A9B-A0A0-42C9-A234-2876DF560AA9}'" delete
    3⤵
    PID:2992
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91E11A9B-A0A0-42C9-A234-2876DF560AA9}'" delete
      4⤵
      PID:1968
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA0B5003-F425-4DAE-A867-E34340F53ACE}'" delete
    3⤵
    PID:2000
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA0B5003-F425-4DAE-A867-E34340F53ACE}'" delete
      4⤵
      PID:372
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D5DD5A-0043-40A5-8BD6-7D0C4D8AF64B}'" delete
    3⤵
    PID:616
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D5DD5A-0043-40A5-8BD6-7D0C4D8AF64B}'" delete
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C00897D4-B2CF-4E0D-BD6A-46960C9E1BFA}'" delete
    3⤵
    PID:2472
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C00897D4-B2CF-4E0D-BD6A-46960C9E1BFA}'" delete
      4⤵
      PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious behavior: LoadsDriver
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
d7b928096dabbcc94e17a680ab47cb96

SHA1
eb3e6f343656d74052e72948ed7628ad61cdab2a

SHA256
90e875b7db54470c5d532a1b614035d7674308080c721ca0e369cca2ca07e534

SHA512
bca955b70f53981004a465073d1c20dd5de90726caf7b890550decb7ed13b4d9a72554cdd12b3072a1e65638ec6dc229f3ed1c81515633a775ba2bb8db4cd907

Download Submit
C:\Users\Public\log.log

Filesize
3KB

MD5
8a53548d0e88a891f54234efa69868da

SHA1
ca65ef4314190e6ac9e6f409ad9ac73997d0abcd

SHA256
3fe6f0dc078fd7399eaf54217f3f0486040157a134a45ec64f71629bacc13dc3

SHA512
98b2b4d7856edfbe395f09d89b64326aa9966cf5dd27e4bcd1a483b6e4eed42622647c7f2abdb4968923eafbed16668da1ae585aff68f64fd84a961cf61e81a6

Download Submit