Resubmissions
Analysis
-
max time kernel
77s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
20-02-2025 19:25
Behavioral task
behavioral1
Sample
built.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Errors
General
-
Target
built.exe
-
Size
280KB
-
MD5
ce2de0ede14e0b143ac05634799fea77
-
SHA1
d466b46837a9af03b9c503bccf6d8b97c5ec9d9b
-
SHA256
48719bdc85157f9911c11709e6fd50e4f57b58a6a9e34ddc2084883d2c04c77a
-
SHA512
cf6afcb1da1020aa1221cac9dc91197ae4e5f41c3d29bb386a7e6849f61f7b198d82f4c9dd9d5a428aed3d54e592796d960b893a4243d734332a712af6688624
-
SSDEEP
6144:Cc9pXH6pTJIIczuVf2Qpm7U5jX/KBTvdwFyWKSL4/gCiH:LH6pTJ3c6Vf2QpmINX/KBTvdwFrKSL4S
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/4824-1-0x0000000000670000-0x00000000006BC000-memory.dmp family_chaos behavioral1/files/0x000400000001e9bf-6.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4504 bcdedit.exe 1352 bcdedit.exe -
pid Process 3476 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation built.exe Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3012 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hw85pkh94.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3052 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "160" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 636 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3012 svchost.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 4824 built.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 4824 built.exe Token: SeDebugPrivilege 3012 svchost.exe Token: SeBackupPrivilege 64 vssvc.exe Token: SeRestorePrivilege 64 vssvc.exe Token: SeAuditPrivilege 64 vssvc.exe Token: SeIncreaseQuotaPrivilege 4776 WMIC.exe Token: SeSecurityPrivilege 4776 WMIC.exe Token: SeTakeOwnershipPrivilege 4776 WMIC.exe Token: SeLoadDriverPrivilege 4776 WMIC.exe Token: SeSystemProfilePrivilege 4776 WMIC.exe Token: SeSystemtimePrivilege 4776 WMIC.exe Token: SeProfSingleProcessPrivilege 4776 WMIC.exe Token: SeIncBasePriorityPrivilege 4776 WMIC.exe Token: SeCreatePagefilePrivilege 4776 WMIC.exe Token: SeBackupPrivilege 4776 WMIC.exe Token: SeRestorePrivilege 4776 WMIC.exe Token: SeShutdownPrivilege 4776 WMIC.exe Token: SeDebugPrivilege 4776 WMIC.exe Token: SeSystemEnvironmentPrivilege 4776 WMIC.exe Token: SeRemoteShutdownPrivilege 4776 WMIC.exe Token: SeUndockPrivilege 4776 WMIC.exe Token: SeManageVolumePrivilege 4776 WMIC.exe Token: 33 4776 WMIC.exe Token: 34 4776 WMIC.exe Token: 35 4776 WMIC.exe Token: 36 4776 WMIC.exe Token: SeIncreaseQuotaPrivilege 4776 WMIC.exe Token: SeSecurityPrivilege 4776 WMIC.exe Token: SeTakeOwnershipPrivilege 4776 WMIC.exe Token: SeLoadDriverPrivilege 4776 WMIC.exe Token: SeSystemProfilePrivilege 4776 WMIC.exe Token: SeSystemtimePrivilege 4776 WMIC.exe Token: SeProfSingleProcessPrivilege 4776 WMIC.exe Token: SeIncBasePriorityPrivilege 4776 WMIC.exe Token: SeCreatePagefilePrivilege 4776 WMIC.exe Token: SeBackupPrivilege 4776 WMIC.exe Token: SeRestorePrivilege 4776 WMIC.exe Token: SeShutdownPrivilege 4776 WMIC.exe Token: SeDebugPrivilege 4776 WMIC.exe Token: SeSystemEnvironmentPrivilege 4776 WMIC.exe Token: SeRemoteShutdownPrivilege 4776 WMIC.exe Token: SeUndockPrivilege 4776 WMIC.exe Token: SeManageVolumePrivilege 4776 WMIC.exe Token: 33 4776 WMIC.exe Token: 34 4776 WMIC.exe Token: 35 4776 WMIC.exe Token: 36 4776 WMIC.exe Token: SeBackupPrivilege 5044 wbengine.exe Token: SeRestorePrivilege 5044 wbengine.exe Token: SeSecurityPrivilege 5044 wbengine.exe Token: SeDebugPrivilege 612 firefox.exe Token: SeDebugPrivilege 612 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 636 NOTEPAD.EXE 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe 612 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1848 OpenWith.exe 612 firefox.exe 1732 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4824 wrote to memory of 3012 4824 built.exe 88 PID 4824 wrote to memory of 3012 4824 built.exe 88 PID 3012 wrote to memory of 1564 3012 svchost.exe 89 PID 3012 wrote to memory of 1564 3012 svchost.exe 89 PID 1564 wrote to memory of 3052 1564 cmd.exe 91 PID 1564 wrote to memory of 3052 1564 cmd.exe 91 PID 1564 wrote to memory of 4776 1564 cmd.exe 94 PID 1564 wrote to memory of 4776 1564 cmd.exe 94 PID 3012 wrote to memory of 3356 3012 svchost.exe 96 PID 3012 wrote to memory of 3356 3012 svchost.exe 96 PID 3356 wrote to memory of 4504 3356 cmd.exe 98 PID 3356 wrote to memory of 4504 3356 cmd.exe 98 PID 3356 wrote to memory of 1352 3356 cmd.exe 99 PID 3356 wrote to memory of 1352 3356 cmd.exe 99 PID 3012 wrote to memory of 3108 3012 svchost.exe 100 PID 3012 wrote to memory of 3108 3012 svchost.exe 100 PID 3108 wrote to memory of 3476 3108 cmd.exe 102 PID 3108 wrote to memory of 3476 3108 cmd.exe 102 PID 3012 wrote to memory of 636 3012 svchost.exe 108 PID 3012 wrote to memory of 636 3012 svchost.exe 108 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 3300 wrote to memory of 612 3300 firefox.exe 118 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 PID 612 wrote to memory of 4516 612 firefox.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\built.exe"C:\Users\Admin\AppData\Local\Temp\built.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4504
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3476
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:636
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:64
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3916
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1932
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2152 -parentBuildID 20240401114208 -prefsHandle 2052 -prefMapHandle 2072 -prefsLen 21257 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67090b9d-9e53-4c64-bdc6-f2ec8e17928b} 612 "\\.\pipe\gecko-crash-server-pipe.612" gpu3⤵PID:4516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 21257 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eaadd16-2458-4883-947e-672ba87f01ca} 612 "\\.\pipe\gecko-crash-server-pipe.612" socket3⤵
- Checks processor information in registry
PID:4672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1708 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 2804 -prefsLen 21326 -prefMapSize 243020 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9acdf0fa-821c-4a53-a4f9-032b13ee3eb2} 612 "\\.\pipe\gecko-crash-server-pipe.612" tab3⤵PID:3636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 2 -isForBrowser -prefsHandle 1504 -prefMapHandle 1776 -prefsLen 22178 -prefMapSize 243020 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5428fcd3-b40c-45ea-81b1-b7a59faf3369} 612 "\\.\pipe\gecko-crash-server-pipe.612" tab3⤵PID:864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 29363 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9746ea5b-a525-4b8d-ad5c-77d210600d4f} 612 "\\.\pipe\gecko-crash-server-pipe.612" rdd3⤵PID:2164
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5172 -prefMapHandle 5236 -prefsLen 33751 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9899662f-6a93-43af-a5cd-0ad3bd782979} 612 "\\.\pipe\gecko-crash-server-pipe.612" utility3⤵
- Checks processor information in registry
PID:5964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2112 -childID 3 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1d620d-48a5-4c7a-94e2-07923d515669} 612 "\\.\pipe\gecko-crash-server-pipe.612" tab3⤵PID:5340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1760 -childID 4 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0d9cd29-2e92-4d52-8a3a-a71f03551ffd} 612 "\\.\pipe\gecko-crash-server-pipe.612" tab3⤵PID:5348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5836 -childID 5 -isForBrowser -prefsHandle 3756 -prefMapHandle 3652 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f11971-86df-4241-855b-03314f05bd16} 612 "\\.\pipe\gecko-crash-server-pipe.612" tab3⤵PID:5368
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3912855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1732
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
Filesize102B
MD57d1d7e1db5d8d862de24415d9ec9aca4
SHA1f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA5121688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\swefzoxk.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5500e116d472d50da034fa7f00e258afa
SHA1d2b00ca55d1210c2ba8225bf85324c311ad72037
SHA25613559930e71906ebf9505b28ebe872ecc523da55df22949fa84c41eccfda5a7a
SHA512858cc49cd59c05d2c29f194c54f6e62565a807d198c12e635afd0acacc8736e763be507386529b2dd595fa3bcc1a8851ebf81be5ee84e63fe2beeaad9a7708a3
-
Filesize
20B
MD543492e7c86992f9200ce43c52129e5e2
SHA139ab84971a5143a2a8b893f14c8e2d2c0d300780
SHA25653d7cafcf33472cc7b3f0545f80feaab04c868cd5617f92e15a5c5c88e92c691
SHA512dfd525a3b4691148ba8fba7e1d1cae9199026f141bd6ef63464a4990d61a690ebab33df85a6076970a564686d7f79d0e0343792fd3a81b6bd79bce75ec4a03a4
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD58f5e68971090914c978a419d2b8c4d9f
SHA145016cf27085c338dc0fe79affe1edd22f84db1e
SHA2563ed11d707039a850bce46e6f71c3d4712d4d4a338a4206b75573470b3d984fb5
SHA512d31d2c7ed68f36e10fa1a74263a7340a807b0af9984603f960cc344729ff2c3d4f10f07859bf7b265b602993a4b174f4aa2071c11987528c251f6606456a0977
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD51f7fe8de9adde6ba56f71ba05e3e005b
SHA177f590cf6252f40b54417250f375f1cf3950ad3e
SHA256090f5fced9b87806a9b6117cbea0ff08f765b8e6cf80fa6eddb7d996c4dd4a35
SHA51235ee044edd3856c4c74dc8c3c85e89586d539e95c31c59f9318d8e4ce57952b396afe8421d4e15a6dbf81ee4a54b25f421f5bfb014944b2014c5b2c5fc85f05c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD51072118121fb8534720ab52889c0b335
SHA14f5393a63ea8c751c528a817cfb12ba12a4321bd
SHA2565b50a858763ddf6ff6e27d0b804f9d6ae3b8c80dee0baa99c207655655a80016
SHA512b997140b21f2a3f84961a0bcf71988f11a7d56652c4a85f11329ea82528ebbeaa74a0c585bc79319eedb3cb9e98841fd78500ccf75e21538026199b68c785fcc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51187b4a373af0d8f952d4fd26d46a204
SHA11bfdabddff17fd4242e11f7fe3177bbc6c84554d
SHA256e9d29c9cc62b8d8714e604eb9c6c8778f1766764440617fcfae0e2e4685a6e72
SHA5125b472fc87a41083989d7ab704379a1d1242bb7544b26e818a019e7d72d9d402b15ab4c6652a1eb99e3fbc284f4aba75da86c5ccf3ba24e6b4bb6ff87d5b9b73a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\datareporting\glean\pending_pings\1ff97d56-f806-482d-9b80-89460db10f8a
Filesize566B
MD5c6ee25c71e0bae561dbe03b643b0f8e0
SHA15fe40f23e497c275eb6e04e9c7fb34e3c995eaaa
SHA256e1fb4eba83e94db83aaf7a84cc5741a73f70b30989de1197ca9a1808e7c25f8b
SHA512fac5760e64a080261ec2f845a9dc966b3330c7241370b30aa49350a61a7c1c9bd10d367619b061e98b1ef3237f134d186351f47bfaeecfd97ef4a677e132995f
-
Filesize
37KB
MD59c242230f1a5cf826189f2692baa3101
SHA108ef4d4fd3e30bbcbf0571e56aeee117b074399d
SHA256d06be62462ad32848ab1a1fdaa28d12f9f6fb0022a9b825c6bccdb2820c52774
SHA5120fbb0369722d17f9de19faad8ff0a911074a8c81b058ecaad3f1ec995e20d1f80250e09b6ca7c00d111528dd2e204ec6cd5cf08873608de956f91c2f5b35b65c
-
Filesize
9KB
MD53d54eb8e07ef948be106ca2b740eb65b
SHA1f76544b4551f83ce4bc7fa9ca83dc92b84beb9be
SHA256055be7460f9fcc7c5528b758c2f62572c7ddf02d14555e9047c8c0135c77ea8c
SHA51222eb7e1bf72647f309dbe59fbdc2448f9dcfabd48f6b6408cbe1a542959fd8be94bfdce1f48b7999ec52df8a6e8467b737972a88e1a13b43dfa99d5716b6d068
-
Filesize
2KB
MD5514b8c4303ad8f1608a4c3c292ddaf65
SHA1b0c88a29e51622d3316c9078e4ad9a2cae7d853f
SHA25677fdccde3c09ac49ec60915462a369faa1b60ff03f5ce58ce94acc4df7ce60df
SHA512869b4ac0e9bddf8ca20bba65ea2b8886ca0cef1ec1f64b4501fc8d2e5138a50649ed6b1b64ebca6badfce3d14958bf721c6ca7dccadb189f7120cfde1e3b1062
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\sessionCheckpoints.json
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize48KB
MD59339e429c51ebcd73d30535cf18aec6f
SHA1fd262c3f8d0ef049b73d0d8b554344d04b9f23e6
SHA256e5f03904420497aea22d49531eab705942bf3bf5ea6f68eb18f4ad6dd10f8f4d
SHA5122f8c8f2300d90cfbc20b6618253f79ef8bef3aefa6bf6b04279a1d61d06dbf2216c5c11298026d3a30276984e837518ddca032c6a4c119640018bc21004da67b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\swefzoxk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize352KB
MD5a1ef162b843ab4e5895c99c80ef6f894
SHA1a96613833a869a9916cddc8b6b30978769414a0f
SHA2562d846b8a71b611402ca51346cb6fd4245ee5868abcc285507552f6094049f5d3
SHA51274ea9269286ecd001abe5387b26d2f0172ba6bbf49e6f34a2aadbd6f9d79d92b1bdd39ba60dd3cdca2b25201d9412d7b650e56b08c1b7970e75634bc40c0b0f5
-
Filesize
280KB
MD5ce2de0ede14e0b143ac05634799fea77
SHA1d466b46837a9af03b9c503bccf6d8b97c5ec9d9b
SHA25648719bdc85157f9911c11709e6fd50e4f57b58a6a9e34ddc2084883d2c04c77a
SHA512cf6afcb1da1020aa1221cac9dc91197ae4e5f41c3d29bb386a7e6849f61f7b198d82f4c9dd9d5a428aed3d54e592796d960b893a4243d734332a712af6688624