Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2025 11:32
Behavioral task
behavioral1
Sample
BloodEagle Ransomware Builder.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
31 signatures
150 seconds
General
-
Target
BloodEagle Ransomware Builder.exe
-
Size
683KB
-
MD5
bd74ac3a184b41087eaffe1c4e5575f1
-
SHA1
dcf0cc5cf9d633f398bda7821bb04b89ac60870d
-
SHA256
87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc
-
SHA512
bed0db9ed78e0459b151849b6c04ed626a664b6779fdce3b5ccdced5dc06c2eea208b08dc1cf153a6781587c45fba3d92a8f5a27952c58fcace27330a75d9526
-
SSDEEP
3072:hL6xoPurnfsj7A0H7GMgXuD//bFLAkC3IGYWEyNakhm5Zt1HrTM/rFLjZkJ:8kj0aGMVFLQJPJUEFL2
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/1944-1-0x0000000000FF0000-0x00000000010A0000-memory.dmp family_chaos behavioral1/files/0x0008000000023dbc-20.dat family_chaos behavioral1/files/0x0017000000023dd5-28.dat family_chaos behavioral1/memory/4996-30-0x00000000001F0000-0x00000000001FC000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3496 bcdedit.exe 1900 bcdedit.exe -
pid Process 1540 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 1 IoCs
flow pid Process 37 4492 Process not Found -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation xgyh.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt taskmgr.exe -
Executes dropped EXE 2 IoCs
pid Process 4996 xgyh.exe 3252 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3932017190-1449707826-1445630-1000\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1496 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1812 vssadmin.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" BloodEagle Ransomware Builder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000c66ed1097c79db0187041b348679db0182ca1f348679db0114000000 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots BloodEagle Ransomware Builder.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 296 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 4996 xgyh.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 3252 svchost.exe 3252 svchost.exe 1904 taskmgr.exe 1904 taskmgr.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 1904 taskmgr.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1944 BloodEagle Ransomware Builder.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 1944 BloodEagle Ransomware Builder.exe Token: SeDebugPrivilege 4996 xgyh.exe Token: SeDebugPrivilege 1904 taskmgr.exe Token: SeSystemProfilePrivilege 1904 taskmgr.exe Token: SeCreateGlobalPrivilege 1904 taskmgr.exe Token: SeDebugPrivilege 3252 svchost.exe Token: SeBackupPrivilege 3068 vssvc.exe Token: SeRestorePrivilege 3068 vssvc.exe Token: SeAuditPrivilege 3068 vssvc.exe Token: SeIncreaseQuotaPrivilege 4772 WMIC.exe Token: SeSecurityPrivilege 4772 WMIC.exe Token: SeTakeOwnershipPrivilege 4772 WMIC.exe Token: SeLoadDriverPrivilege 4772 WMIC.exe Token: SeSystemProfilePrivilege 4772 WMIC.exe Token: SeSystemtimePrivilege 4772 WMIC.exe Token: SeProfSingleProcessPrivilege 4772 WMIC.exe Token: SeIncBasePriorityPrivilege 4772 WMIC.exe Token: SeCreatePagefilePrivilege 4772 WMIC.exe Token: SeBackupPrivilege 4772 WMIC.exe Token: SeRestorePrivilege 4772 WMIC.exe Token: SeShutdownPrivilege 4772 WMIC.exe Token: SeDebugPrivilege 4772 WMIC.exe Token: SeSystemEnvironmentPrivilege 4772 WMIC.exe Token: SeRemoteShutdownPrivilege 4772 WMIC.exe Token: SeUndockPrivilege 4772 WMIC.exe Token: SeManageVolumePrivilege 4772 WMIC.exe Token: 33 4772 WMIC.exe Token: 34 4772 WMIC.exe Token: 35 4772 WMIC.exe Token: 36 4772 WMIC.exe Token: SeIncreaseQuotaPrivilege 4772 WMIC.exe Token: SeSecurityPrivilege 4772 WMIC.exe Token: SeTakeOwnershipPrivilege 4772 WMIC.exe Token: SeLoadDriverPrivilege 4772 WMIC.exe Token: SeSystemProfilePrivilege 4772 WMIC.exe Token: SeSystemtimePrivilege 4772 WMIC.exe Token: SeProfSingleProcessPrivilege 4772 WMIC.exe Token: SeIncBasePriorityPrivilege 4772 WMIC.exe Token: SeCreatePagefilePrivilege 4772 WMIC.exe Token: SeBackupPrivilege 4772 WMIC.exe Token: SeRestorePrivilege 4772 WMIC.exe Token: SeShutdownPrivilege 4772 WMIC.exe Token: SeDebugPrivilege 4772 WMIC.exe Token: SeSystemEnvironmentPrivilege 4772 WMIC.exe Token: SeRemoteShutdownPrivilege 4772 WMIC.exe Token: SeUndockPrivilege 4772 WMIC.exe Token: SeManageVolumePrivilege 4772 WMIC.exe Token: 33 4772 WMIC.exe Token: 34 4772 WMIC.exe Token: 35 4772 WMIC.exe Token: 36 4772 WMIC.exe Token: SeBackupPrivilege 2036 wbengine.exe Token: SeRestorePrivilege 2036 wbengine.exe Token: SeSecurityPrivilege 2036 wbengine.exe Token: 33 1904 taskmgr.exe Token: SeIncBasePriorityPrivilege 1904 taskmgr.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1944 BloodEagle Ransomware Builder.exe 1944 BloodEagle Ransomware Builder.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1944 wrote to memory of 4104 1944 BloodEagle Ransomware Builder.exe 105 PID 1944 wrote to memory of 4104 1944 BloodEagle Ransomware Builder.exe 105 PID 4104 wrote to memory of 3284 4104 csc.exe 107 PID 4104 wrote to memory of 3284 4104 csc.exe 107 PID 4996 wrote to memory of 3252 4996 xgyh.exe 112 PID 4996 wrote to memory of 3252 4996 xgyh.exe 112 PID 3252 wrote to memory of 2072 3252 svchost.exe 115 PID 3252 wrote to memory of 2072 3252 svchost.exe 115 PID 2072 wrote to memory of 1812 2072 cmd.exe 117 PID 2072 wrote to memory of 1812 2072 cmd.exe 117 PID 2072 wrote to memory of 4772 2072 cmd.exe 120 PID 2072 wrote to memory of 4772 2072 cmd.exe 120 PID 3252 wrote to memory of 3512 3252 svchost.exe 121 PID 3252 wrote to memory of 3512 3252 svchost.exe 121 PID 3512 wrote to memory of 3496 3512 cmd.exe 123 PID 3512 wrote to memory of 3496 3512 cmd.exe 123 PID 3512 wrote to memory of 1900 3512 cmd.exe 124 PID 3512 wrote to memory of 1900 3512 cmd.exe 124 PID 3252 wrote to memory of 756 3252 svchost.exe 125 PID 3252 wrote to memory of 756 3252 svchost.exe 125 PID 756 wrote to memory of 1540 756 cmd.exe 128 PID 756 wrote to memory of 1540 756 cmd.exe 128 PID 3252 wrote to memory of 296 3252 svchost.exe 134 PID 3252 wrote to memory of 296 3252 svchost.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aw24lq0m\aw24lq0m.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1728.tmp" "c:\Users\Admin\Desktop\CSCF6C45FD940140DDB65D9489188BF948.TMP"3⤵PID:3284
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0ODhCRDktMzJDOS00RkRELTk0OEMtQjY4MEYwODQ4MzI2fSIgdXNlcmlkPSJ7ODg1QjQ3M0MtN0U4NS00NzJBLUFGQjktQUFCRTExOTJDRDRCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDc5NkY2RkYtNzA1QS00RjBBLUIxMDUtNTYxN0I3OEIwQTU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODI0MDg4ODIyIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1496
-
C:\Users\Admin\Desktop\xgyh.exe"C:\Users\Admin\Desktop\xgyh.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1812
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3496
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1540
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:296
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2148
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2256
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3204
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
1KB
MD57bd1d28bc055db6c574200ac77feec35
SHA1388748b1e12a1bd24f5b3c88fc5bdddad84aee46
SHA256b16dbbc849f8e1a9344d488b9aa3bf2e4c6da4432151fefc545f63ebe155fc18
SHA512591363e55fbd1a62c54a81e6dfd76ee24c3720adba58fc7ec1a5bb9769e8f116a3422f6bc97b0618acf2a63c53f375413359f6655fc9c62d2db7c9fcf9406436
-
Filesize
94B
MD5c5de4ab2ad8772c15196bb351cbebe89
SHA1a99ce461fb5caafdf4be50829a516d8df9cc02df
SHA256c8a3abd91a5a783392150348a97e879153a5be2377cd6741c58ae79d3ff5f8e9
SHA512546719e1ec368b5040f00e0965be871e168c18360b1416a40d33f68b3fcbcfabeabd4a9445fb2c5aa1ae577bbc6c5ab9789123229507901446d34c9ba9b7dd2c
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
26KB
MD56a04739098ee802e55031f1864e0c453
SHA193f896a21169ebce07b49cfce9ee7b3fbbbf7ba3
SHA256db6def415b864b2cd72cc496faa2fe7a427ea62177506b44aaa25b90578c26a0
SHA512bd8c18992f21664559db304f9570460a7370b5d34831964b113550a9e57d9e89248e386adfa25c3e1b8f9e2195597461714a62a929245d2792b1b810cd250226
-
Filesize
597KB
MD52db63508bde08fd55d00079c742e5ba2
SHA19d94e19dc6fcd8acfd101651b9d4f225e7beadf8
SHA256a68a3a6c4620d3ef92fe80cc0476b65cf3f5aa69400dfeba01475844dad3aaf9
SHA512ebd8af6c2d6a1ba9011a96c89d7a52b31d41952ee3dc055ced5d567103ec8a69808379e557efa3dbd21faec9312f9511c7b5679d6aa1241bf851101165fb9598
-
Filesize
38KB
MD5eb22b3ffee321041b400d5bb2ab47b08
SHA1c03cf79a3b4a2270462d77e0799a288b9c771b46
SHA256d834994a4e42f88e2f97406b1d66dab7f558347be9dc8db5fa2b6088cb1b27d3
SHA512dc4e714e4c91e1e2ca73e5232551cd1731a078338a3dea72f84586583189df7ade6f227b1df77c0dd30cf798400e6e3fa2e2d2bdee70437e2383f63e13ae068f
-
Filesize
386B
MD5c2248fd1c45ce9fbb889aa5e51b6d34e
SHA14c31ca2a9cf57c7e2c715a37bc0172d30bc9d8ef
SHA256967462bf3407c8551d3f6a28b4c5f7c5d405d7730f5dac74d7ffd12e903043cf
SHA512c9df599ea4580ed23df918cff03ded80334f4165479aed8d0d2d0df9af1cf835f2ea23a953ec7396bb87f6d8195a2f1c4fdb77f83bfca65eaf7e48e925b1a6f1
-
Filesize
1KB
MD5349c19794dd1ac60dac1f5266694ad97
SHA1f13b0cc1880a3676ba8dd12c86c979a0e347d5d4
SHA256ab453f5a530b40079a95bd66e32c8f8c115c42122a9fce28a06d9d63bb522c1e
SHA512d98914d30e6db51ddf91d4d4df2fd50ccd6dfdae5926db215d89990a5f036403aa2c74b209d8ad7c7a790efdd3a57a3e0f8a38df4793fb44a95a3ad9fe1ef28d