Analysis
-
max time kernel
207s -
max time network
212s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-uk -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-uklocale:uk-uaos:windows10-ltsc 2021-x64systemwindows -
submitted
21-02-2025 20:25
Behavioral task
behavioral1
Sample
Test.exe
Resource
win10ltsc2021-20250217-uk
windows10-ltsc 2021-x64
30 signatures
900 seconds
General
-
Target
Test.exe
-
Size
816KB
-
MD5
7d665d19c599e7dde4678186a93cd68c
-
SHA1
ee40d4a8c9f93841af4a6ce9eded30ae00d6c28c
-
SHA256
983223d3c64d68f560b7315bc8b32610c7606382e8778537bee3cfe70dff1f76
-
SHA512
522072b91c03497a84d0df047ea2be56143e58878e7064ab3c82877499df1822c43701fb9233a8ae9b1a7fe7824d0171905d5f1fb676529439c792b1c9857b1a
-
SSDEEP
12288:pn7H1QuMhey5GsQjlXfDVtemY79zhrGdb+qe2gUc2j+pey7lDrKhlHNtwGmI4mmh:VH1g2RNmjBaWmm
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/2900-1-0x0000000000EF0000-0x0000000000FC2000-memory.dmp family_chaos behavioral1/files/0x000c000000027df3-2.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1984 bcdedit.exe 4036 bcdedit.exe -
pid Process 1132 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation Test.exe Key value queried \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\readme.txt taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 4624 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 63 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1786400979-876203093-3022739302-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n7ovcq3cj.jpg" svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2728 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 4 IoCs
pid Process 392 NOTEPAD.EXE 4768 NOTEPAD.EXE 1724 NOTEPAD.EXE 3584 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 4624 svchost.exe 3784 WINWORD.EXE 3784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 2900 Test.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4520 taskmgr.exe 4520 taskmgr.exe 3108 WMIC.exe 3108 WMIC.exe 3108 WMIC.exe 3108 WMIC.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 2900 Test.exe Token: SeDebugPrivilege 4624 svchost.exe Token: SeDebugPrivilege 4520 taskmgr.exe Token: SeSystemProfilePrivilege 4520 taskmgr.exe Token: SeCreateGlobalPrivilege 4520 taskmgr.exe Token: SeBackupPrivilege 3464 vssvc.exe Token: SeRestorePrivilege 3464 vssvc.exe Token: SeAuditPrivilege 3464 vssvc.exe Token: SeIncreaseQuotaPrivilege 3108 WMIC.exe Token: SeSecurityPrivilege 3108 WMIC.exe Token: SeTakeOwnershipPrivilege 3108 WMIC.exe Token: SeLoadDriverPrivilege 3108 WMIC.exe Token: SeSystemProfilePrivilege 3108 WMIC.exe Token: SeSystemtimePrivilege 3108 WMIC.exe Token: SeProfSingleProcessPrivilege 3108 WMIC.exe Token: SeIncBasePriorityPrivilege 3108 WMIC.exe Token: SeCreatePagefilePrivilege 3108 WMIC.exe Token: SeBackupPrivilege 3108 WMIC.exe Token: SeRestorePrivilege 3108 WMIC.exe Token: SeShutdownPrivilege 3108 WMIC.exe Token: SeDebugPrivilege 3108 WMIC.exe Token: SeSystemEnvironmentPrivilege 3108 WMIC.exe Token: SeRemoteShutdownPrivilege 3108 WMIC.exe Token: SeUndockPrivilege 3108 WMIC.exe Token: SeManageVolumePrivilege 3108 WMIC.exe Token: 33 3108 WMIC.exe Token: 34 3108 WMIC.exe Token: 35 3108 WMIC.exe Token: 36 3108 WMIC.exe Token: SeIncreaseQuotaPrivilege 3108 WMIC.exe Token: SeSecurityPrivilege 3108 WMIC.exe Token: SeTakeOwnershipPrivilege 3108 WMIC.exe Token: SeLoadDriverPrivilege 3108 WMIC.exe Token: SeSystemProfilePrivilege 3108 WMIC.exe Token: SeSystemtimePrivilege 3108 WMIC.exe Token: SeProfSingleProcessPrivilege 3108 WMIC.exe Token: SeIncBasePriorityPrivilege 3108 WMIC.exe Token: SeCreatePagefilePrivilege 3108 WMIC.exe Token: SeBackupPrivilege 3108 WMIC.exe Token: SeRestorePrivilege 3108 WMIC.exe Token: SeShutdownPrivilege 3108 WMIC.exe Token: SeDebugPrivilege 3108 WMIC.exe Token: SeSystemEnvironmentPrivilege 3108 WMIC.exe Token: SeRemoteShutdownPrivilege 3108 WMIC.exe Token: SeUndockPrivilege 3108 WMIC.exe Token: SeManageVolumePrivilege 3108 WMIC.exe Token: 33 3108 WMIC.exe Token: 34 3108 WMIC.exe Token: 35 3108 WMIC.exe Token: 36 3108 WMIC.exe Token: SeBackupPrivilege 4908 wbengine.exe Token: SeRestorePrivilege 4908 wbengine.exe Token: SeSecurityPrivilege 4908 wbengine.exe Token: 33 4520 taskmgr.exe Token: SeIncBasePriorityPrivilege 4520 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe 4520 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1780 mspaint.exe 1780 mspaint.exe 1780 mspaint.exe 1780 mspaint.exe 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2900 wrote to memory of 4624 2900 Test.exe 80 PID 2900 wrote to memory of 4624 2900 Test.exe 80 PID 4624 wrote to memory of 1468 4624 svchost.exe 83 PID 4624 wrote to memory of 1468 4624 svchost.exe 83 PID 1468 wrote to memory of 2728 1468 cmd.exe 85 PID 1468 wrote to memory of 2728 1468 cmd.exe 85 PID 1468 wrote to memory of 3108 1468 cmd.exe 88 PID 1468 wrote to memory of 3108 1468 cmd.exe 88 PID 4624 wrote to memory of 5032 4624 svchost.exe 90 PID 4624 wrote to memory of 5032 4624 svchost.exe 90 PID 5032 wrote to memory of 1984 5032 cmd.exe 92 PID 5032 wrote to memory of 1984 5032 cmd.exe 92 PID 5032 wrote to memory of 4036 5032 cmd.exe 93 PID 5032 wrote to memory of 4036 5032 cmd.exe 93 PID 4624 wrote to memory of 2776 4624 svchost.exe 94 PID 4624 wrote to memory of 2776 4624 svchost.exe 94 PID 2776 wrote to memory of 1132 2776 cmd.exe 96 PID 2776 wrote to memory of 1132 2776 cmd.exe 96 PID 4624 wrote to memory of 392 4624 svchost.exe 102 PID 4624 wrote to memory of 392 4624 svchost.exe 102 PID 4004 wrote to memory of 4204 4004 cmd.exe 115 PID 4004 wrote to memory of 4204 4004 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Test.exe"C:\Users\Admin\AppData\Local\Temp\Test.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2728
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1984
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1132
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt3⤵
- Opens file in notepad (likely ransom note)
PID:392
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4520
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2908
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2028
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4768
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\windows-delete-winpe.bat1⤵PID:1456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows-delete-winpe.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\diskpart.exediskpart /s C:\diskpart.txt2⤵PID:4204
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3476
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3540
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\CloseUnregister.otf1⤵PID:292
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\desktop.ini1⤵
- Opens file in notepad (likely ransom note)
PID:1724
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2512
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\desktop.ini1⤵
- Opens file in notepad (likely ransom note)
PID:3584
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\BackupPush.dotm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3784
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5b92bd19c1a9416298a873dfa43b439b7
SHA17b96a8874aff3a502363f4168332613ebc53d64e
SHA2561ac8854abd01c202cf82e4ccdf80bf50319c59bc7a02dce2b19cecfedf7dd4ba
SHA5125910691ebdd78a2740117b14f146629874682d196f518f479b8bcb754ed2501a009fc465cb9e3685f7aed8ced7b435690de2b8b8439117abb5f61dc4996387a6
-
Filesize
28KB
MD5038000b25564ece680496aafcf7e759f
SHA1660ce2aab7555da73846f1ae7934f911e65de986
SHA256cd61fb38e3f73002fbb00f6f0e2631719dc56fc386755b91b8480d6faf1b116b
SHA512e99cfdab57059b624073504c811ecdcad5150ff0e987bcf2cae0e829ac2375be7b798ad48fe597e6fe25eff04110652d654536ee70990ac5529f7e0051a66120
-
Filesize
21B
MD5f3cf2cbd8263794fdc35e749f030fe74
SHA192f408123657b7811c205c4c7d66e6efd3bc8143
SHA256e2e17766f7dda95590b6b984f36d367fb077a2710009750354f7d6ac2ff0dfb1
SHA5129a00ae7a7a89a60dd8c62db3b1cf20cf65518db6fe058cf1fc862463a4b8a616e2841a4c918822c00f0dc73d0b74cdab4ce318af6c4368aff66524aa10e18c23
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
142B
MD51a09a38485cbf1d59c29d8e3213e1ab9
SHA19cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA2560a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616
-
Filesize
816KB
MD57d665d19c599e7dde4678186a93cd68c
SHA1ee40d4a8c9f93841af4a6ce9eded30ae00d6c28c
SHA256983223d3c64d68f560b7315bc8b32610c7606382e8778537bee3cfe70dff1f76
SHA512522072b91c03497a84d0df047ea2be56143e58878e7064ab3c82877499df1822c43701fb9233a8ae9b1a7fe7824d0171905d5f1fb676529439c792b1c9857b1a
-
Filesize
845KB
MD58d840712fe88e65fd02794fee3725478
SHA13131e43e99c56dd41d5471d7a7f2193f58b0997d
SHA256b61975daf921841f7baf4b21a48d13186692ad6857301c3b50f7cbe9f461d335
SHA51273535a482a5c1388e9df772ef51fc98a921ee95197bfc83b7d032ed9d77c8e6c01f6a4b2964516424b4a5a475fc5906115c463a05236b8dec4f7fb8900e0e1d8
-
Filesize
24KB
MD52cfd35dcef4d2c260a51a5a85c73b1da
SHA12eb13f75801e3d23e26c84adec8f585a1a9e71e9
SHA2560f5e09d3678b03c4eaa7366cd3e5e0dd043bc548ee6b18e7315a60c67dec7d0b
SHA512b5a779c6049937d69f4b5fb34cf6ce0b7bd609f759d2cc88aeb1200d7abf0481d3359ca03db931439bfc787c57a976b639fcb5194a7389cd8289b606b693f9df
-
Filesize
34B
MD54ce2f5d2d139f0ba31af18aea764a509
SHA136a86ceb2fd6e7245f64b9dea0504bdae5f29e85
SHA256ad79a52bd3b67b0453c32d332a22cc65222c5a33a8450babf2fbbbc65bd097d5
SHA512a418c02372091fb2d13a36e912b10c4ba97c37c160edc3fbcacf6004d55a424c8a323c223cae7d6acd06b29385ffdd80a04fe2833f4e22eb2993314123a0f45a
