Analysis
-
max time kernel
382s -
max time network
383s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
23/02/2025, 21:44
General
-
Target
https://web.archive.org/web/20110804063940/govnobakovkaxxx.ru
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Fantom family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Disables Task Manager via registry modification
-
Sets service image path in registry 2 TTPs 8 IoCs
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 10 IoCs
-
Executes dropped EXE 8 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 12 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 42 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 32 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://web.archive.org/web/20110804063940/govnobakovkaxxx.ru1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffedcfc3cb8,0x7ffedcfc3cc8,0x7ffedcfc3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=876 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1808,17861447386950703190,8460141916882927046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3853269842 && exit"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3853269842 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:06:003⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:06:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\FDDA.tmp"C:\Windows\FDDA.tmp" \\.\pipe\{77093C3A-AFBE-462C-A6B4-7E88DCC0E5FD}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Birele.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Birele.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 2802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2560 -ip 25601⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002343⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Dharma.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Dharma.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ac\nc123.exe"C:\Windows\system32\ac\nc123.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\ac\mssql.exe"C:\Windows\system32\ac\mssql.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\ac\mssql2.exe"C:\Windows\system32\ac\mssql2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\system32\ac\Shadow.bat" "2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\system32\ac\systembackup.bat" "2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\ac\EVER\SearchHost.exe"C:\Windows\system32\ac\EVER\SearchHost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Fantom.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50ebb62268225183da704bc0c20e57851
SHA1310a320d29ee50e1464846a394687036f9ef3963
SHA2562ff609b126f0268e6d6496e9404adc22f624ccf5dec9f49428cb641aa90a72e8
SHA5123c7c76c1b367f1c7e8ff7bfa4de7ecee786bdde82bf5a3d1ff0fce43b16213320b7d7f5dc01052afc29dfa823797b54e363f304f356953690bb17c57ffa525b7
-
Filesize
2.9MB
MD5404df275a6f99e2e527ec8ac44d2e3af
SHA18583867a5c29cb39d43bfefc5a818baa29698c78
SHA25642bb2dce04d6c74356d077c643307f75f30bc8cbb70a6ea0bc3e5afdc50eb9ee
SHA512288291296306d85c90e2affbd19ed2768b050d1018274737e8e53fad8ff7af0dbdbe386912b6741f244123c9fb3199f5e5a0f5f75c0e45727c5408b70dce81f0
-
Filesize
152B
MD50517a9ec1a0298a87dac0ad50c998d79
SHA1c01cab2a1ffb6180134315d827709b46d07018ea
SHA256084f62f24d15ce30e231b1690497a004070932b3618e06d6b26079a489f689a5
SHA512d9be6c0e55a74137b1e6dc882b0e665cb6c18fe80ff585cccff0bd4fc32923b155b62000492613c861b3f0cbfa8996dac7ca12d66fcf06d1b1d0e57294dee84d
-
Filesize
152B
MD5236fd72d944b494ed36178d8c80baa40
SHA1affaef8eea7ac675dfccc68528f9cc828906d209
SHA256c84f8f8ff1471655a154db4ba294d245cdcee376bd482f7b433b42f28d4f0184
SHA5126db4bcd8f81de26f8d5a350019f45be7fe00c3531efbc2cf8e96c696b4e75acc81514fbe10c02410895fa318ec1d2c0bfec429da97451d32d9b0a8c340b2894b
-
Filesize
7KB
MD5d096f198118d9ae5e4d6631db504bdca
SHA10c4b5f3ab17b7474ea39e64b78ac6686b7f44b10
SHA256b9b84897346784c2ff5bc67522abcc413698fe8ca878f16cdb254e9c953d4d1b
SHA512b0d4645e4d4816e7c36a0f44510afe4d8508bd59e6d569819438b774459719885b48cc6c937db4ea7af47ac8b7611becf1a19a75c2ad3a566a7d65a6cf6ea01f
-
Filesize
192B
MD5b7d5a0c8fdd58cffdffb9287b133030f
SHA12607aea1763e04bec1ecc5d77aa1fddc832c182d
SHA256efe062e76c0ebfd3ad73f619e19b47c9f55a43aabb6a794bdd3a4010469ab537
SHA512343bab025a491f9fa4c5a5b1735723ab767019f1b48b7b63b379d65f8bb8013d705a604e04a80d168c7232bb1330e343051430d23d5723df4a703f7e040cb019
-
Filesize
3KB
MD55172a5db80ddeda4997107ecce1008bc
SHA1aabb732d6c1271a8c4fa1cc6630ce1b04cdadd15
SHA256c1695fec9873a57d12ba2bc45eb3323f73a98e70e5e76916ab43fb2c73b73dbf
SHA512b17382a082c2ba2529d14222463d8fefc8489f86c12c948f60727a338d28d3417d8cd3ad53f702a86a42123c6924b16115d1fdb84f4064e082290b77830cb99d
-
Filesize
1KB
MD57d63a1fe126edcb812bf87dbae888899
SHA1f43c1f402d2edabb6c80a665d3995560e21c88cb
SHA2569b644d420d0589af518ab394f41f9d69befa408b1bc06b7996d02695c5d70d5e
SHA512a21a2cce736fa4f6855aeae18e8d4b93f1b96c0792100f29b3edc4a91999f0320475fd716bc9113089df7483417597ce53db25d21c4d2f86d702cf31b4d093a3
-
Filesize
1KB
MD52587d2dc1d9046442815f4405b27c320
SHA1642f1a4cbc23cb723b66d5aea8cc6f1dd0654612
SHA256d00c820c3320373677010f80af055cabb2c5295a5af3c8beac9c446f148c9b03
SHA5120bac23b61518aa2d13cc45e922f1ee8acc049c4aec401beeb639121cce04c3496287d7c34a8a830de1925fdb079d0d9147de0ea27a8eb65004b68b73cf10decf
-
Filesize
6KB
MD517b8ed80f7684d54cad0306e476f7a40
SHA160c059d27d2df1ad14f29861e4e82be4e81f9432
SHA25645fa78c6a60d01e0bb5171997e882774467678ffa47a4f6a82bb53dd97b5996d
SHA51297a042e9e9fd36544d8928560ffc8d1d1d47267fef44eac7d48a3877f259e873a3425c1c55ce965e32e1c2cd6df83b43b23f59795df131f01286b04dc53ecd87
-
Filesize
6KB
MD57605f3ee589c079ce9f45416ed5468c7
SHA1e10b1d626adeb692a1cca41a0bdd6ed7adf454fa
SHA256a7ea768c07f4aca446142ecfe3f9fe01590ae4443d77ff23d2da8408ccb426af
SHA512e4ee803df584f948b4655d82362645308f5eef9eb24970985162458b34afdbb5ef033e7f0be0a14b60fe10f165cbac4bc9a6b3f1910879e8fadc1ba575c1ce31
-
Filesize
7KB
MD5549566bcb0da482a7d307b7e9950a59c
SHA17ad3ba0878632ef321661e7404f02150fd69df45
SHA2560de7a275799a816979779becb577808b7f5b0d1d9f87b87005b4663d7f98ccb8
SHA5127899cb1fcb2850ae58ad997c0b226d810b6571a4ca5fc396e7c399eab6e6105d51a7f126d028632997a36720daf2f14471d268a7945a6b89f2c87e85c1f3889d
-
Filesize
5KB
MD5f94f07e12ba23ef484987cd2032d1f3f
SHA1b0f362d9e52a15acf444fb3134ed3583c6d4bfca
SHA256acdd7330c9aac778f2a409753155aa93cb3e9cc1e20d96d00e2f3fb3663d3be7
SHA512f58467bc720d51221e93df49d7277a4d85e5f91a63a4a1da1c6c89c26cbf1d64c967955e7ec439e6c8d229652a182357277fe67db4be760c0f714b9b4fc17b35
-
Filesize
7KB
MD5f02c53ec75fa8cb8912f889d72265524
SHA1350432e16c9664eea0e1bfd106b4b13b21a6dde5
SHA256760bf8841db5d94ef64d2db0087af1b6dcace0e331cbd039c6a761ac5aea7d21
SHA512b154b818561afacb6a3893ad73a5333abc8bb82ad9b4f5c501bb331986fd10f08a154b24a8e2957cf78e3a1925abe4a62264ae062527f4f0b12b6a6ab043aba9
-
Filesize
372B
MD5a07d37247b33bcf0f5212bb87775a75f
SHA1c3bbbcb5dcc8bc4a5136a8806c781aaf89eac3d2
SHA2568b1b3f5bf5a3e6c2ccc10117d723442186ba408c965e5e460659c62a81ff719d
SHA5129f13d910c488be96c9d4f852301d6ab3989f671014862a5ee3f29670d10ee7398c0c9938e7bc4dcb27048aa5caa71be1ff900306e653ca59903e072d3e264b43
-
Filesize
874B
MD5881c2b0baa332a3d20b65cb0721f111f
SHA18016450b7268507bcdf175bbfbb0b57ec4f8af04
SHA256be056409f8d8e85a43b814f50450fad54d6ab2999d5c7e09277595aaf916f305
SHA5127bd4121d461caba26cd5668da7c137d44f8af75bce5510dfceafeab00030e3a5a630ec31c858cce8090a69dc7a4180ab8ffe3e633ce0d9f5a3c51c05568b00a6
-
Filesize
372B
MD58e5295fc4d30250a93b3e93a2b3782cd
SHA1e12716322ed24920a8cdeb1d9370ffbb23448818
SHA256dcdcd517a77d6abdfed71a9bb30d00e1d4dbdbc365665a41a29d55cea7eb71ff
SHA512e9fb71ff93dfc4eba76a331614e719f5526be479a209c234e2620b6cbec10a78ac0900066d54bfe58c3ddb6ece1ff92b9504d88a213d745255c96e93f4194303
-
Filesize
1KB
MD5d5aaa55080b00272055c8b33b5828640
SHA16f40844506158643dd0ab605703eb6dbca2236db
SHA256c7b0628825856ef84fae245175d0af39c791d2958883b9c310147f392b0de9c9
SHA512761d8e714aff60701c33b7554e9cadc570243023ef2979bb628fe513a1441201779a4baed721d6dcd8ca3efb5cff9996c80c1000ca0fa07759d1da44386b228a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
Filesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
Filesize
12KB
MD516c15d20cd70d3e20e180067884572fa
SHA1025464b965ed610536bb9cf653e78208e5a526fc
SHA256c64770da119c58129c4025f0a28fab4657aa93dfba174af87331ec6b450e1a88
SHA5125eb61307016f52a689940a0d80ec3f4327a0eb63901981bc31621c3e8e5d9857e0695d8bd5b056575b62769d0cfdce1efc8d540f7525a28afe643d439653306c
-
Filesize
11KB
MD5ac2e78ed3612644972724a8037d126fd
SHA18c5fdb0fce4bc522dc9dc060b55728f3127dfb63
SHA256cb8b92151d77470114f9c5d83fb36daf8e1413c7e4e3f7cf4595c394ace8f60d
SHA51271d7f27f95ac38b0279a3b60e6ca1493efdc441e15aeea03f5b8c80f6371f07b23133ab90a0615781296b4c621e75315a779be1847bb4d69d1602b568fd26977
-
Filesize
11KB
MD569ed6ac5732e2a864d3d633310004990
SHA1bc5465eab657f3b323a55f4ce5bf3ef800aa1863
SHA2564b17e07b2a0ee7966fff3edf8fb182f7f2ebd0703f8c8f6973a004c5254dcaf2
SHA512a6a7784b84d1c60df7ba14c72653acce8a0c77314254bbf922302b34dd3888967513972ab7b12e13dd4afa0c5b6eea09e231eada455c204259e1968a80c9ccc8
-
Filesize
12KB
MD532f815fe2093eef98888cc705b4a4ac9
SHA130557d6543f1175e443cce8e3f94e8facb40ceb3
SHA2564148b304da7415a5e5ae9f0523fd7958c306de72a0898b5bbe6f769e82002fe4
SHA512343219d58d655e6419501d3fe7ba6163c198cdf504f85a21065124567a7f0699ed7dd284c1f5affda872f8bcb3031cc9b93b5e194fa7a1457c44ebfc3843d272
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
1.6MB
MD58add121fa398ebf83e8b5db8f17b45e0
SHA1c8107e5c5e20349a39d32f424668139a36e6cfd0
SHA25635c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
SHA5128f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273
-
Filesize
10.2MB
MD5f6a3d38aa0ae08c3294d6ed26266693f
SHA19ced15d08ffddb01db3912d8af14fb6cc91773f2
SHA256c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad
SHA512814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515
-
Filesize
6.7MB
MD5f7d94750703f0c1ddd1edd36f6d0371d
SHA1cc9b95e5952e1c870f7be55d3c77020e56c34b57
SHA256659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d
SHA512af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5f6f7dfe324da976481c8730ffd5509c0
SHA1240f9e6e3caecd8ba5b95a1e426f9d61655a56f1
SHA2567d03ed6535d8c34bf9672eeccb16cd0eca0d50941b7e2e410b0a7be58545d686
SHA5124b1b7a9daa0ee984c124f6059beefac7bb2d24599e435b00f1df6a10d752eef7d5575a69775924a3ed8fda20566f4e1cb07b02eda68b81662fdd128c807929ed
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
344KB
-
Filesize
624KB
-
Filesize
520KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
440KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
200KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
200KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
56KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
48KB