chaos | 3bab06619d98c8cc839d86da5e2af612527a161856bfdf1bc720e2424df25511

Analysis

max time kernel
35s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-02-2025 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SonyVegasCrack.exe
Size

5.6MB
MD5

55d7b767f0213d18e4de54350c3891a9
SHA1

d2b74d78591cedbd9b22de2cf4a155514cafbaca
SHA256

65bfacb5497982e5f9af9c76efc44509fb2629d85c636273d8c7d605a34e8522
SHA512

61b14063501afe53a88c0a8039476a27db5ab4d38b4037eb861355f816bc4f99db133d323cfc674cd691877ac0b9a4b6de9a37cb5f70b21fec37baace2cc3e8b
SSDEEP

384:/3MLWHn3kIsd+KYgCyJpVwjonJ7r91CzKlnnnnnnnu51RTZhpN0epN:rn3kInjryJpVCoJ7r9iwnnnnnnng0en

Score

10^/10

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2660-1-0x0000000001050000-0x00000000015F4000-memory.dmp	family_chaos
behavioral1/files/0x0007000000012117-5.dat	family_chaos
behavioral1/memory/2816-7-0x0000000000AD0000-0x0000000001074000-memory.dmp	family_chaos

Chaos family
chaos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2052	bcdedit.exe
2424	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2764	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.url	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wininit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overwritten.html	wininit.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	wininit.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	wininit.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\481x8gq1n.jpg"	wininit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2584	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093f479fce7216a42a47a3b6f2d34db6500000000020000000000106600000001000020000000737836e234982b4c510233a70af114efdf5e791cce3784366e7ed6a791e4218c000000000e80000000020000200000002cf8e17cb4d51479999085d5f9f2ae7441d4467b38e0115e06447f8411e03f6320000000c4c961ece2100b1d0d938bf52786f49b9c2ec2d0461a5fe3a27f771807be865540000000caf41a8e8ea78b513b0be7d3cb7378a2b797f835b74a755b23f2b924e67cfbfb6ba8b9626c623039197719662ab05550bdb796c76a6a5bf440f3b5c3f2ff03d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093f479fce7216a42a47a3b6f2d34db650000000002000000000010660000000100002000000059c9f2c6eb54f807714a38a310d7d249ab3108cb2606a3a3da19b515a04c12f2000000000e80000000020000200000006a4ce0b54b7bf15e4adbf083fa89753eaf5f90813ff04ec71c5ffc3eab53d40c9000000001f8d3e869a2b385b30e481df450c66bcbae406ea04243d30096cf41077f8c6c50bf3353c7b46c727ab161e682c70f6747230cc2b4a46487af60fcb35e36017a2dd326c1fdaa25aa0294a1835bce8589c6c12bfb82bbba08bd617c53d5a446fbb4ef422cec583e2739c51a9365bb34c573f08a63a3e0f6b5ee7ee3cc58f1cd7fd212dff34e070b4f2d609ff4a189d2e0400000009ba7b0180bb266fd5d3bee2aa48de92e200a333c82bdf360846ba9e272e916cfce3013837790f2823f44a3113d0694845dc3f6f1e1adf621e154cb98d05fe88a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B88EE61-ED74-11EF-A742-6E295C7D81A3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 801e37408181db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2816	wininit.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2660	SonyVegasCrack.exe
2660	SonyVegasCrack.exe
2660	SonyVegasCrack.exe
2816	wininit.exe
2816	wininit.exe
2816	wininit.exe
2816	wininit.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	SonyVegasCrack.exe
Token: SeDebugPrivilege	2816	wininit.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeBackupPrivilege	2960	wbengine.exe
Token: SeRestorePrivilege	2960	wbengine.exe
Token: SeSecurityPrivilege	2960	wbengine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1644	iexplore.exe
1644	iexplore.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2816	2660	SonyVegasCrack.exe	30
PID 2660 wrote to memory of 2816	2660	SonyVegasCrack.exe	30
PID 2660 wrote to memory of 2816	2660	SonyVegasCrack.exe	30
PID 2816 wrote to memory of 3004	2816	wininit.exe	31
PID 2816 wrote to memory of 3004	2816	wininit.exe	31
PID 2816 wrote to memory of 3004	2816	wininit.exe	31
PID 3004 wrote to memory of 2584	3004	cmd.exe	33
PID 3004 wrote to memory of 2584	3004	cmd.exe	33
PID 3004 wrote to memory of 2584	3004	cmd.exe	33
PID 3004 wrote to memory of 1960	3004	cmd.exe	37
PID 3004 wrote to memory of 1960	3004	cmd.exe	37
PID 3004 wrote to memory of 1960	3004	cmd.exe	37
PID 2816 wrote to memory of 2924	2816	wininit.exe	39
PID 2816 wrote to memory of 2924	2816	wininit.exe	39
PID 2816 wrote to memory of 2924	2816	wininit.exe	39
PID 2924 wrote to memory of 2052	2924	cmd.exe	41
PID 2924 wrote to memory of 2052	2924	cmd.exe	41
PID 2924 wrote to memory of 2052	2924	cmd.exe	41
PID 2924 wrote to memory of 2424	2924	cmd.exe	42
PID 2924 wrote to memory of 2424	2924	cmd.exe	42
PID 2924 wrote to memory of 2424	2924	cmd.exe	42
PID 2816 wrote to memory of 2184	2816	wininit.exe	43
PID 2816 wrote to memory of 2184	2816	wininit.exe	43
PID 2816 wrote to memory of 2184	2816	wininit.exe	43
PID 2184 wrote to memory of 2764	2184	cmd.exe	45
PID 2184 wrote to memory of 2764	2184	cmd.exe	45
PID 2184 wrote to memory of 2764	2184	cmd.exe	45
PID 2816 wrote to memory of 1644	2816	wininit.exe	49
PID 2816 wrote to memory of 1644	2816	wininit.exe	49
PID 2816 wrote to memory of 1644	2816	wininit.exe	49
PID 1644 wrote to memory of 1740	1644	iexplore.exe	50
PID 1644 wrote to memory of 1740	1644	iexplore.exe	50
PID 1644 wrote to memory of 1740	1644	iexplore.exe	50
PID 1644 wrote to memory of 1740	1644	iexplore.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SonyVegasCrack.exe
"C:\Users\Admin\AppData\Local\Temp\SonyVegasCrack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\wininit.exe
  "C:\Users\Admin\AppData\Roaming\wininit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2584
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2052
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\overwritten.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f2cb961c9de4f7208f5fdf0c872c1df

SHA1
4908ec74ad69b6a42c277fb40a533c25275be204

SHA256
54a3b928493614414d61b381ec243c71b8e738407879c62ccbe311b0e4c66468

SHA512
c3e9d233b6da40228387871097837b79869a3c80eebfcabc2518688bf337d93bc618fa42e8c7319c710c7613b0a58b1c8a668345a3a49094e7c9318e3bde89ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12d43e1b94f454d62f3cafcfe94a9e79

SHA1
ab37729de30e86a7b95f788b8f28a638f68cb221

SHA256
99c500c853f06115b15ffb0552b355c4292ebc28221f989e7d528cb768c297e9

SHA512
a57a2a64bdc686a591be66b5f6c307296da4bedad1486551f13f4401d03f304b6aae2900e8371ad3b6efe9a92b1ec7e6e928ca325996658be9b358041cf01ccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efc03e07caa0dc8f2cb8a25c992f22b3

SHA1
d65dab0d393b069212c226785bffa379fabeae32

SHA256
437cb1fb078c6c08f651a7f122e2bc514cd27623599f4b37839dcc6f2903b511

SHA512
62586ed6d2646f73de6f35b823c18798b422864510c9ef3583b1b1ebef6a7c79e8df2fde5cc78e9352add8f6e5c1be48a66e95229e0cf3ef9a6034dc774b1de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63fe6afcf09a447bedf8fdd14c19c9ef

SHA1
6332e13556657e1dede0bf0679fa2b892850ad09

SHA256
47d166619cdfcef45af691dbbe4fe7499f9b90aa24b73a1604d850086e864afa

SHA512
f49e0212fb7b85ed9bca299209c007f83dc736de26d0357dc1fcfadf509d87b23b5ea184c194d72a4bd0c84aa7354b141cbe2c7820a569adec62724893a39887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb8911b2da123c8b7fd23860ec888bda

SHA1
fab357f1d11ac33f8ada56f2ec1718cbb3a929a1

SHA256
92247e0cbebb4137859612fe7fab82306c8adaa822c78af5cd7a95efc14d3fd0

SHA512
934276e20e9aae6ba231f0f9f4736b6e9e88bf61452d027b1f3b7039d96bf879243a04c50e3885bb95ae2ff3835aa3a786262f644fdfae7805bafbaa9268eefb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45c05a25dfa7e1268b45cf7c62906b0d

SHA1
b93c2a193e349846969d2dd219eb45e59151da25

SHA256
948fe71e164c68ff0545e40f83b530a999a389f205f5122e4e1207edb283fcb5

SHA512
0ccc381bbd33bb2a0dbfc603796d2787d597a18fc7a6f26ffed51aea8b412db08fd308a6208e71c1105418e7427ccf953a7e21520a86da5b5df932a132a0ebf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
447afe18538e5afe45b0cf001e596e40

SHA1
6568771aeaba64962c34d1f302105a67233070e2

SHA256
5401ecb8380cbdb2140bf9dc183441852ed9968a386ecf05a4eadace4af3cbcb

SHA512
5b08f1ff3cd4563da056c8065dc1363e96240717dd08b8dd90787001bce7d946aa7d4dd34c13430d3c34285bfe745e42680fb5f8b0b0364932b7de60da0c860b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b1e59f5ddec8e283c813f6a1af7c59

SHA1
73b3661cd855c70b42b9414b08a7d05b8b97f7ce

SHA256
d4a421211a2970c176ec1f9f8fb23ee5fffe48d45584a29027d5a16ec1339996

SHA512
dce2dc8d7bee0c0a493e25ea5681ac5a8d14dce6a760b118f3ccd52c0bf7d93e1a0083e6056234f799d011ea9cc0e4f3257bb4f4e54a11dd454aa3ecfa0a9444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2270.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22E2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
5.6MB

MD5
55d7b767f0213d18e4de54350c3891a9

SHA1
d2b74d78591cedbd9b22de2cf4a155514cafbaca

SHA256
65bfacb5497982e5f9af9c76efc44509fb2629d85c636273d8c7d605a34e8522

SHA512
61b14063501afe53a88c0a8039476a27db5ab4d38b4037eb861355f816bc4f99db133d323cfc674cd691877ac0b9a4b6de9a37cb5f70b21fec37baace2cc3e8b

Download Submit
C:\Users\Admin\Desktop\overwritten.html

Filesize
82B

MD5
fa4a3a1d2ab22fa84d84ec6646c7885c

SHA1
4b9a1e8c6535a9d3e76eb773bb9c54bb852e1eac

SHA256
8fe31ddd89b9f3f9e5107d24d0a1184ab1047fe89142b66d1eba1e117eba2ba3

SHA512
bade982388c07caf9c2b8c967c9f38627b9511294022f710404ecbb18a6d36777b7df7668e175e79d7d642b682c2a3c9fac60d27d7dbc37672579d330d6a2145

Download Submit
memory/2660-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

Filesize
4KB

Download
memory/2660-1-0x0000000001050000-0x00000000015F4000-memory.dmp

Filesize
5.6MB

Download
memory/2816-75-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-57-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-242-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-7-0x0000000000AD0000-0x0000000001074000-memory.dmp

Filesize
5.6MB

Download
memory/2816-505-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download