Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-fr -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-frlocale:fr-fros:windows10-ltsc 2021-x64systemwindows -
submitted
20-02-2025 19:01
Behavioral task
behavioral1
Sample
built.exe
Resource
win10ltsc2021-20250217-fr
windows10-ltsc 2021-x64
34 signatures
150 seconds
General
-
Target
built.exe
-
Size
280KB
-
MD5
ce2de0ede14e0b143ac05634799fea77
-
SHA1
d466b46837a9af03b9c503bccf6d8b97c5ec9d9b
-
SHA256
48719bdc85157f9911c11709e6fd50e4f57b58a6a9e34ddc2084883d2c04c77a
-
SHA512
cf6afcb1da1020aa1221cac9dc91197ae4e5f41c3d29bb386a7e6849f61f7b198d82f4c9dd9d5a428aed3d54e592796d960b893a4243d734332a712af6688624
-
SSDEEP
6144:Cc9pXH6pTJIIczuVf2Qpm7U5jX/KBTvdwFyWKSL4/gCiH:LH6pTJ3c6Vf2QpmINX/KBTvdwFrKSL4S
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/1808-1-0x0000000000950000-0x000000000099C000-memory.dmp family_chaos behavioral1/files/0x0008000000027f3c-3.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3544 bcdedit.exe 3516 bcdedit.exe -
pid Process 1608 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation built.exe Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1044 svchost.exe -
Loads dropped DLL 13 IoCs
pid Process 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 63 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1786400979-876203093-3022739302-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\D: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe File opened for modification C:\Windows\SysWOW64\msvcr100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcr110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib110.dll msiexec.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t4gl2aqav.jpg" svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\zy______.pfm msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGL.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Installer\e5a9589.HDR msiexec.exe File created C:\Windows\Installer\e5a958c.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9595.HDR msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e5a9581.HDR msiexec.exe File created C:\Windows\Installer\e5a958f.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9591.HDR msiexec.exe File created C:\Windows\Installer\e5a95a4.HDR msiexec.exe File created C:\Windows\Installer\e5a95a6.HDR msiexec.exe File created C:\Windows\Installer\e5a95a9.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9592.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a95a6.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a957e.HDR msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File created C:\Windows\Installer\e5a9581.HDR msiexec.exe File created C:\Windows\Installer\e5a9587.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a959b.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a959e.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a958a.HDR msiexec.exe File created C:\Windows\Installer\e5a9596.HDR msiexec.exe File created C:\Windows\Installer\e5a959e.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9599.HDR msiexec.exe File created C:\Windows\Installer\e5a959c.HDR msiexec.exe File created C:\Windows\Installer\e5a95a1.HDR msiexec.exe File created C:\Windows\Installer\e5a958b.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a95ad.HDR msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Installer\MSI9463.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9727.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI99CA.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a9588.HDR msiexec.exe File created C:\Windows\Installer\e5a95a2.HDR msiexec.exe File created C:\Windows\Installer\e5a95a8.HDR msiexec.exe File created C:\Windows\Installer\e5a958d.HDR msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Installer\MSI9785.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A39.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a9583.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9585.HDR msiexec.exe File created C:\Windows\Installer\e5a9595.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a95a2.HDR msiexec.exe File created C:\Windows\Installer\e5a9584.HDR msiexec.exe File created C:\Windows\Installer\e5a9588.HDR msiexec.exe File created C:\Windows\Installer\e5a958e.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9590.HDR msiexec.exe File created C:\Windows\Installer\e5a95a3.HDR msiexec.exe File created C:\Windows\Installer\e5a95a5.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a95a8.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a95af.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a958d.HDR msiexec.exe File created C:\Windows\Installer\e5a9598.HDR msiexec.exe File created C:\Windows\Installer\e5a959f.HDR msiexec.exe File created C:\Windows\Installer\e5a957d.HDR msiexec.exe File created C:\Windows\Installer\e5a9586.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a95ac.HDR msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9D57.tmp msiexec.exe File created C:\Windows\Installer\e5a9585.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a9594.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI99EA.tmp msiexec.exe File created C:\Windows\Installer\e5a9593.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5a959d.HDR msiexec.exe File created C:\Windows\Installer\e5a95a0.HDR msiexec.exe File created C:\Windows\Installer\e5a95a7.HDR msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2904 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2772 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1044 svchost.exe 2288 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1808 built.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 1044 svchost.exe 3528 WMIC.exe 3528 WMIC.exe 3528 WMIC.exe 3528 WMIC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1808 built.exe Token: SeDebugPrivilege 1044 svchost.exe Token: SeBackupPrivilege 2408 vssvc.exe Token: SeRestorePrivilege 2408 vssvc.exe Token: SeAuditPrivilege 2408 vssvc.exe Token: SeIncreaseQuotaPrivilege 3528 WMIC.exe Token: SeSecurityPrivilege 3528 WMIC.exe Token: SeTakeOwnershipPrivilege 3528 WMIC.exe Token: SeLoadDriverPrivilege 3528 WMIC.exe Token: SeSystemProfilePrivilege 3528 WMIC.exe Token: SeSystemtimePrivilege 3528 WMIC.exe Token: SeProfSingleProcessPrivilege 3528 WMIC.exe Token: SeIncBasePriorityPrivilege 3528 WMIC.exe Token: SeCreatePagefilePrivilege 3528 WMIC.exe Token: SeBackupPrivilege 3528 WMIC.exe Token: SeRestorePrivilege 3528 WMIC.exe Token: SeShutdownPrivilege 3528 WMIC.exe Token: SeDebugPrivilege 3528 WMIC.exe Token: SeSystemEnvironmentPrivilege 3528 WMIC.exe Token: SeRemoteShutdownPrivilege 3528 WMIC.exe Token: SeUndockPrivilege 3528 WMIC.exe Token: SeManageVolumePrivilege 3528 WMIC.exe Token: 33 3528 WMIC.exe Token: 34 3528 WMIC.exe Token: 35 3528 WMIC.exe Token: 36 3528 WMIC.exe Token: SeIncreaseQuotaPrivilege 3528 WMIC.exe Token: SeSecurityPrivilege 3528 WMIC.exe Token: SeTakeOwnershipPrivilege 3528 WMIC.exe Token: SeLoadDriverPrivilege 3528 WMIC.exe Token: SeSystemProfilePrivilege 3528 WMIC.exe Token: SeSystemtimePrivilege 3528 WMIC.exe Token: SeProfSingleProcessPrivilege 3528 WMIC.exe Token: SeIncBasePriorityPrivilege 3528 WMIC.exe Token: SeCreatePagefilePrivilege 3528 WMIC.exe Token: SeBackupPrivilege 3528 WMIC.exe Token: SeRestorePrivilege 3528 WMIC.exe Token: SeShutdownPrivilege 3528 WMIC.exe Token: SeDebugPrivilege 3528 WMIC.exe Token: SeSystemEnvironmentPrivilege 3528 WMIC.exe Token: SeRemoteShutdownPrivilege 3528 WMIC.exe Token: SeUndockPrivilege 3528 WMIC.exe Token: SeManageVolumePrivilege 3528 WMIC.exe Token: 33 3528 WMIC.exe Token: 34 3528 WMIC.exe Token: 35 3528 WMIC.exe Token: 36 3528 WMIC.exe Token: SeBackupPrivilege 2628 wbengine.exe Token: SeRestorePrivilege 2628 wbengine.exe Token: SeSecurityPrivilege 2628 wbengine.exe Token: SeSecurityPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe Token: SeTakeOwnershipPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe Token: SeTakeOwnershipPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe Token: SeTakeOwnershipPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe Token: SeTakeOwnershipPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe Token: SeTakeOwnershipPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe Token: SeTakeOwnershipPrivilege 2448 msiexec.exe Token: SeRestorePrivilege 2448 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2772 NOTEPAD.EXE 4344 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1380 SecHealthUI.exe 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1044 1808 built.exe 80 PID 1808 wrote to memory of 1044 1808 built.exe 80 PID 1044 wrote to memory of 1592 1044 svchost.exe 81 PID 1044 wrote to memory of 1592 1044 svchost.exe 81 PID 1592 wrote to memory of 2904 1592 cmd.exe 83 PID 1592 wrote to memory of 2904 1592 cmd.exe 83 PID 1592 wrote to memory of 3528 1592 cmd.exe 86 PID 1592 wrote to memory of 3528 1592 cmd.exe 86 PID 1044 wrote to memory of 3256 1044 svchost.exe 88 PID 1044 wrote to memory of 3256 1044 svchost.exe 88 PID 3256 wrote to memory of 3544 3256 cmd.exe 90 PID 3256 wrote to memory of 3544 3256 cmd.exe 90 PID 3256 wrote to memory of 3516 3256 cmd.exe 91 PID 3256 wrote to memory of 3516 3256 cmd.exe 91 PID 1044 wrote to memory of 2028 1044 svchost.exe 92 PID 1044 wrote to memory of 2028 1044 svchost.exe 92 PID 2028 wrote to memory of 1608 2028 cmd.exe 94 PID 2028 wrote to memory of 1608 2028 cmd.exe 94 PID 1044 wrote to memory of 2772 1044 svchost.exe 100 PID 1044 wrote to memory of 2772 1044 svchost.exe 100 PID 2448 wrote to memory of 1172 2448 msiexec.exe 126 PID 2448 wrote to memory of 1172 2448 msiexec.exe 126 PID 2448 wrote to memory of 1172 2448 msiexec.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\built.exe"C:\Users\Admin\AppData\Local\Temp\built.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2904
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3544
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1608
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2772
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3264
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1908
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:240
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:228
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of FindShellTrayWindow
PID:4344
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1380
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:756
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:3656
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:1844
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2712
-
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2288
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 27A70664269AE2230FCA7E937A9B13D32⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1172
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5b92bd19c1a9416298a873dfa43b439b7
SHA17b96a8874aff3a502363f4168332613ebc53d64e
SHA2561ac8854abd01c202cf82e4ccdf80bf50319c59bc7a02dce2b19cecfedf7dd4ba
SHA5125910691ebdd78a2740117b14f146629874682d196f518f479b8bcb754ed2501a009fc465cb9e3685f7aed8ced7b435690de2b8b8439117abb5f61dc4996387a6
-
Filesize
20B
MD543492e7c86992f9200ce43c52129e5e2
SHA139ab84971a5143a2a8b893f14c8e2d2c0d300780
SHA25653d7cafcf33472cc7b3f0545f80feaab04c868cd5617f92e15a5c5c88e92c691
SHA512dfd525a3b4691148ba8fba7e1d1cae9199026f141bd6ef63464a4990d61a690ebab33df85a6076970a564686d7f79d0e0343792fd3a81b6bd79bce75ec4a03a4
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
280KB
MD5ce2de0ede14e0b143ac05634799fea77
SHA1d466b46837a9af03b9c503bccf6d8b97c5ec9d9b
SHA25648719bdc85157f9911c11709e6fd50e4f57b58a6a9e34ddc2084883d2c04c77a
SHA512cf6afcb1da1020aa1221cac9dc91197ae4e5f41c3d29bb386a7e6849f61f7b198d82f4c9dd9d5a428aed3d54e592796d960b893a4243d734332a712af6688624
-
Filesize
57KB
MD5c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
Filesize
418KB
MD567f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
Filesize
148KB
MD5be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
Filesize
209KB
MD50e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be