0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/12/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
Size

612KB
MD5

412ce7c1f8dd5dcfafb5c3af08297c65
SHA1

fd98960ab8e7bfe92fc566237be4bc433332c3f3
SHA256

0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328
SHA512

10e654df43c193ae7786848093967092b0f7fc1bf61ef55e2edf77347acc029ee8dcce9c64a64922f846bcea0b33307e6dabd54ba196f0f2f027a88f3e213748
SSDEEP

12288:/lTMgGurXwc8Xq1m3fdjQU+v4PN/CnBMj5qJwhq92hyuZCZh06H4FCd:/lTMgBrXwc8Xq1Cfdj/PN/IWyuZ+h

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\#HowToRecover.txt

Ransom Note

Your Files Have Been Encrypted! Attention! All your important files have been stolen and encrypted by our advanced attack. Without our special decryption software, theres no way to recover your data! Your ID: [ E8330FE1-1337 ] To restore your files, reach out to us at: [email protected] You can also contact us via Telegram: @Hedaransom Failing to act may result in sensitive company data being leaked or sold. Do NOT use third-party tools, as they may permanently damage your files. Why Trust Us? Before making any payment, you can send us few files for free decryption test. Our business relies on fulfilling our promises. How to Buy Bitcoin? You can purchase Bitcoin to pay the ransom using these trusted platforms: https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/en-gb/how-to-buy/bitcoin https://paxful.com

Emails

[email protected]

URLs

https://paxful.com

Signatures

Renames multiple (7784) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\#HowToRecover.txt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#HowToRecover.txt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\#HowToRecover.txt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#HowToRecover.txt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\#HowToRecover.txt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\#HowToRecover.txt	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jre7\lib\tzmappings	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00923_.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQS.ICO	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98SP.POC	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102762.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1668	vssvc.exe
Token: SeRestorePrivilege	1668	vssvc.exe
Token: SeAuditPrivilege	1668	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2796	WMIC.exe
Token: SeSecurityPrivilege	2796	WMIC.exe
Token: SeTakeOwnershipPrivilege	2796	WMIC.exe
Token: SeLoadDriverPrivilege	2796	WMIC.exe
Token: SeSystemProfilePrivilege	2796	WMIC.exe
Token: SeSystemtimePrivilege	2796	WMIC.exe
Token: SeProfSingleProcessPrivilege	2796	WMIC.exe
Token: SeIncBasePriorityPrivilege	2796	WMIC.exe
Token: SeCreatePagefilePrivilege	2796	WMIC.exe
Token: SeBackupPrivilege	2796	WMIC.exe
Token: SeRestorePrivilege	2796	WMIC.exe
Token: SeShutdownPrivilege	2796	WMIC.exe
Token: SeDebugPrivilege	2796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2796	WMIC.exe
Token: SeRemoteShutdownPrivilege	2796	WMIC.exe
Token: SeUndockPrivilege	2796	WMIC.exe
Token: SeManageVolumePrivilege	2796	WMIC.exe
Token: 33	2796	WMIC.exe
Token: 34	2796	WMIC.exe
Token: 35	2796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2796	WMIC.exe
Token: SeSecurityPrivilege	2796	WMIC.exe
Token: SeTakeOwnershipPrivilege	2796	WMIC.exe
Token: SeLoadDriverPrivilege	2796	WMIC.exe
Token: SeSystemProfilePrivilege	2796	WMIC.exe
Token: SeSystemtimePrivilege	2796	WMIC.exe
Token: SeProfSingleProcessPrivilege	2796	WMIC.exe
Token: SeIncBasePriorityPrivilege	2796	WMIC.exe
Token: SeCreatePagefilePrivilege	2796	WMIC.exe
Token: SeBackupPrivilege	2796	WMIC.exe
Token: SeRestorePrivilege	2796	WMIC.exe
Token: SeShutdownPrivilege	2796	WMIC.exe
Token: SeDebugPrivilege	2796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2796	WMIC.exe
Token: SeRemoteShutdownPrivilege	2796	WMIC.exe
Token: SeUndockPrivilege	2796	WMIC.exe
Token: SeManageVolumePrivilege	2796	WMIC.exe
Token: 33	2796	WMIC.exe
Token: 34	2796	WMIC.exe
Token: 35	2796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2812	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	34
PID 268 wrote to memory of 2812	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	34
PID 268 wrote to memory of 2812	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	34
PID 2812 wrote to memory of 2796	2812	cmd.exe	36
PID 2812 wrote to memory of 2796	2812	cmd.exe	36
PID 2812 wrote to memory of 2796	2812	cmd.exe	36
PID 268 wrote to memory of 2700	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	37
PID 268 wrote to memory of 2700	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	37
PID 268 wrote to memory of 2700	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	37
PID 2700 wrote to memory of 2548	2700	cmd.exe	39
PID 2700 wrote to memory of 2548	2700	cmd.exe	39
PID 2700 wrote to memory of 2548	2700	cmd.exe	39
PID 268 wrote to memory of 2884	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	40
PID 268 wrote to memory of 2884	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	40
PID 268 wrote to memory of 2884	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	40
PID 2884 wrote to memory of 2680	2884	cmd.exe	42
PID 2884 wrote to memory of 2680	2884	cmd.exe	42
PID 2884 wrote to memory of 2680	2884	cmd.exe	42
PID 268 wrote to memory of 2524	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	43
PID 268 wrote to memory of 2524	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	43
PID 268 wrote to memory of 2524	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	43
PID 2524 wrote to memory of 2576	2524	cmd.exe	45
PID 2524 wrote to memory of 2576	2524	cmd.exe	45
PID 2524 wrote to memory of 2576	2524	cmd.exe	45
PID 268 wrote to memory of 2972	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	46
PID 268 wrote to memory of 2972	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	46
PID 268 wrote to memory of 2972	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	46
PID 2972 wrote to memory of 1408	2972	cmd.exe	48
PID 2972 wrote to memory of 1408	2972	cmd.exe	48
PID 2972 wrote to memory of 1408	2972	cmd.exe	48
PID 268 wrote to memory of 308	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	49
PID 268 wrote to memory of 308	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	49
PID 268 wrote to memory of 308	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	49
PID 308 wrote to memory of 1772	308	cmd.exe	51
PID 308 wrote to memory of 1772	308	cmd.exe	51
PID 308 wrote to memory of 1772	308	cmd.exe	51
PID 268 wrote to memory of 2732	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	52
PID 268 wrote to memory of 2732	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	52
PID 268 wrote to memory of 2732	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	52
PID 2732 wrote to memory of 2828	2732	cmd.exe	54
PID 2732 wrote to memory of 2828	2732	cmd.exe	54
PID 2732 wrote to memory of 2828	2732	cmd.exe	54
PID 268 wrote to memory of 1776	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	55
PID 268 wrote to memory of 1776	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	55
PID 268 wrote to memory of 1776	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	55
PID 1776 wrote to memory of 1600	1776	cmd.exe	57
PID 1776 wrote to memory of 1600	1776	cmd.exe	57
PID 1776 wrote to memory of 1600	1776	cmd.exe	57
PID 268 wrote to memory of 2280	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	58
PID 268 wrote to memory of 2280	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	58
PID 268 wrote to memory of 2280	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	58
PID 2280 wrote to memory of 1816	2280	cmd.exe	60
PID 2280 wrote to memory of 1816	2280	cmd.exe	60
PID 2280 wrote to memory of 1816	2280	cmd.exe	60
PID 268 wrote to memory of 2848	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	61
PID 268 wrote to memory of 2848	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	61
PID 268 wrote to memory of 2848	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	61
PID 2848 wrote to memory of 1724	2848	cmd.exe	63
PID 2848 wrote to memory of 1724	2848	cmd.exe	63
PID 2848 wrote to memory of 1724	2848	cmd.exe	63
PID 268 wrote to memory of 1156	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	64
PID 268 wrote to memory of 1156	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	64
PID 268 wrote to memory of 1156	268	0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe	64
PID 1156 wrote to memory of 2964	1156	cmd.exe	66

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
"C:\Users\Admin\AppData\Local\Temp\0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8B17145-7F63-4C9F-B88B-CAD2D9F7949D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8B17145-7F63-4C9F-B88B-CAD2D9F7949D}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4BD09E8-AC1D-4F60-97E8-3EB7A82DEBD9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4BD09E8-AC1D-4F60-97E8-3EB7A82DEBD9}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B61F1B9-0076-4B4E-A4A8-0C347AF4BCC7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B61F1B9-0076-4B4E-A4A8-0C347AF4BCC7}'" delete
    3⤵
    PID:2680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C70BB53C-D749-4A61-B498-87943061C142}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C70BB53C-D749-4A61-B498-87943061C142}'" delete
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{183E609F-4DAA-41DD-84CD-3F218272416B}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{183E609F-4DAA-41DD-84CD-3F218272416B}'" delete
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5998CC-29C3-40EE-A979-4F596B94F64B}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5998CC-29C3-40EE-A979-4F596B94F64B}'" delete
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A4D0AB3-B5FC-4EFF-B663-8E360E15C406}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A4D0AB3-B5FC-4EFF-B663-8E360E15C406}'" delete
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5CB54C4-14EA-429A-A427-02197A1B53AD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5CB54C4-14EA-429A-A427-02197A1B53AD}'" delete
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DBEC09BD-E3B2-473B-9ED5-0DFB50A9C4EA}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DBEC09BD-E3B2-473B-9ED5-0DFB50A9C4EA}'" delete
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CFAA339D-ABBB-4A2F-A043-3EEA040766D3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CFAA339D-ABBB-4A2F-A043-3EEA040766D3}'" delete
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B682E805-210F-4EC4-AE05-165F6083B72A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B682E805-210F-4EC4-AE05-165F6083B72A}'" delete
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DEC64B2A-68AD-4DF7-9CCC-F11FDA0D2B80}'" delete
  2⤵
  PID:2688
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DEC64B2A-68AD-4DF7-9CCC-F11FDA0D2B80}'" delete
    3⤵
    PID:1460
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C56E56F4-F055-4CC0-AAE2-F9530678124E}'" delete
  2⤵
  PID:2156
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C56E56F4-F055-4CC0-AAE2-F9530678124E}'" delete
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D580416-48DD-41A5-843C-EEAB9F3D637D}'" delete
  2⤵
  PID:1940
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D580416-48DD-41A5-843C-EEAB9F3D637D}'" delete
    3⤵
    PID:448
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91E11A9B-A0A0-42C9-A234-2876DF560AA9}'" delete
  2⤵
  PID:2412
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91E11A9B-A0A0-42C9-A234-2876DF560AA9}'" delete
    3⤵
    PID:836
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA0B5003-F425-4DAE-A867-E34340F53ACE}'" delete
  2⤵
  PID:1860
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA0B5003-F425-4DAE-A867-E34340F53ACE}'" delete
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D5DD5A-0043-40A5-8BD6-7D0C4D8AF64B}'" delete
  2⤵
  PID:764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D5DD5A-0043-40A5-8BD6-7D0C4D8AF64B}'" delete
    3⤵
    PID:1684
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C00897D4-B2CF-4E0D-BD6A-46960C9E1BFA}'" delete
  2⤵
  PID:620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C00897D4-B2CF-4E0D-BD6A-46960C9E1BFA}'" delete
    3⤵
    PID:2788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 268 -s 520
  2⤵
  PID:1376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\#HowToRecover.txt

Filesize
871B

MD5
83f8bacb8f86e7e33ce04386ce1c9228

SHA1
6812db951e3094ac5dd7ee9791c6b6b7dc07b003

SHA256
b8ffd1c3f47e917c996bce4de87b4bc54f9f302366bbd84ab82af1631a778768

SHA512
ebacb4c6702e00efe00be5fc79f76c73079801286c7b70a6cfaef08b591666854ca693113fa9e0b2a25f8ee62b7de13d937b9b7f5739023a498f2ef669e6ae28

Download Submit