Analysis
-
max time kernel
309s -
max time network
311s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 06:32
Behavioral task
behavioral1
Sample
BloodEagle Ransomware Builder.exe
Resource
win11-20250313-en
windows11-21h2-x64
29 signatures
600 seconds
General
-
Target
BloodEagle Ransomware Builder.exe
-
Size
683KB
-
MD5
bd74ac3a184b41087eaffe1c4e5575f1
-
SHA1
dcf0cc5cf9d633f398bda7821bb04b89ac60870d
-
SHA256
87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc
-
SHA512
bed0db9ed78e0459b151849b6c04ed626a664b6779fdce3b5ccdced5dc06c2eea208b08dc1cf153a6781587c45fba3d92a8f5a27952c58fcace27330a75d9526
-
SSDEEP
3072:hL6xoPurnfsj7A0H7GMgXuD//bFLAkC3IGYWEyNakhm5Zt1HrTM/rFLjZkJ:8kj0aGMVFLQJPJUEFL2
Malware Config
Extracted
Path
C:\Users\Admin\read_it.txt
Ransom Note
Don't worry, you can return all your files!
All your files like documents, photos, databases and other important are encrypted
What guarantees do we give to you?
You can send 3 of your encrypted files and we decrypt it for free.
You must follow these steps To decrypt your files :
1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder
or write us to this e-mail: [email protected])
2) Obtain Bitcoin (You have to pay for decryption in Bitcoins.
After payment we will send you the tool that will decrypt all your files.)
Emails
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/2628-1-0x0000000000650000-0x0000000000700000-memory.dmp family_chaos behavioral1/files/0x001900000002affb-17.dat family_chaos behavioral1/files/0x001d00000002b002-28.dat family_chaos behavioral1/memory/5088-29-0x0000000000E10000-0x0000000000E1E000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1980 bcdedit.exe 1600 bcdedit.exe -
pid Process 3296 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 5088 randsom.exe 2640 svchost.exe 3596 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2081498128-3109241912-2948996266-1000\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2384 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags BloodEagle Ransomware Builder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\ltjo_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Key created \Registry\User\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\NotificationData BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" BloodEagle Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\21ru_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Winword.exe\" /n \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\21ru_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\.21ru\ = "21ru_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\21ru_auto_file\shell\edit OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\.ltjo\ = "ltjo_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\ltjo_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\21ru_auto_file\shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\21ru_auto_file\shell\edit\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\ltjo_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\.21ru OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\鰀䆟縀䆁 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\ltjo_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 BloodEagle Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} BloodEagle Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" BloodEagle Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots BloodEagle Ransomware Builder.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2804 NOTEPAD.EXE 1876 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4100 Winword.exe 4100 Winword.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 5088 randsom.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 3596 svchost.exe 3596 svchost.exe 3596 svchost.exe 3596 svchost.exe 3596 svchost.exe 5092 AcroRd32.exe 5092 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1632 OpenWith.exe 1412 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 2628 BloodEagle Ransomware Builder.exe Token: SeDebugPrivilege 5088 randsom.exe Token: SeDebugPrivilege 2640 svchost.exe Token: SeDebugPrivilege 3596 svchost.exe Token: SeBackupPrivilege 2856 vssvc.exe Token: SeRestorePrivilege 2856 vssvc.exe Token: SeAuditPrivilege 2856 vssvc.exe Token: SeIncreaseQuotaPrivilege 3020 WMIC.exe Token: SeSecurityPrivilege 3020 WMIC.exe Token: SeTakeOwnershipPrivilege 3020 WMIC.exe Token: SeLoadDriverPrivilege 3020 WMIC.exe Token: SeSystemProfilePrivilege 3020 WMIC.exe Token: SeSystemtimePrivilege 3020 WMIC.exe Token: SeProfSingleProcessPrivilege 3020 WMIC.exe Token: SeIncBasePriorityPrivilege 3020 WMIC.exe Token: SeCreatePagefilePrivilege 3020 WMIC.exe Token: SeBackupPrivilege 3020 WMIC.exe Token: SeRestorePrivilege 3020 WMIC.exe Token: SeShutdownPrivilege 3020 WMIC.exe Token: SeDebugPrivilege 3020 WMIC.exe Token: SeSystemEnvironmentPrivilege 3020 WMIC.exe Token: SeRemoteShutdownPrivilege 3020 WMIC.exe Token: SeUndockPrivilege 3020 WMIC.exe Token: SeManageVolumePrivilege 3020 WMIC.exe Token: 33 3020 WMIC.exe Token: 34 3020 WMIC.exe Token: 35 3020 WMIC.exe Token: 36 3020 WMIC.exe Token: SeIncreaseQuotaPrivilege 3020 WMIC.exe Token: SeSecurityPrivilege 3020 WMIC.exe Token: SeTakeOwnershipPrivilege 3020 WMIC.exe Token: SeLoadDriverPrivilege 3020 WMIC.exe Token: SeSystemProfilePrivilege 3020 WMIC.exe Token: SeSystemtimePrivilege 3020 WMIC.exe Token: SeProfSingleProcessPrivilege 3020 WMIC.exe Token: SeIncBasePriorityPrivilege 3020 WMIC.exe Token: SeCreatePagefilePrivilege 3020 WMIC.exe Token: SeBackupPrivilege 3020 WMIC.exe Token: SeRestorePrivilege 3020 WMIC.exe Token: SeShutdownPrivilege 3020 WMIC.exe Token: SeDebugPrivilege 3020 WMIC.exe Token: SeSystemEnvironmentPrivilege 3020 WMIC.exe Token: SeRemoteShutdownPrivilege 3020 WMIC.exe Token: SeUndockPrivilege 3020 WMIC.exe Token: SeManageVolumePrivilege 3020 WMIC.exe Token: 33 3020 WMIC.exe Token: 34 3020 WMIC.exe Token: 35 3020 WMIC.exe Token: 36 3020 WMIC.exe Token: SeBackupPrivilege 1028 wbengine.exe Token: SeRestorePrivilege 1028 wbengine.exe Token: SeSecurityPrivilege 1028 wbengine.exe -
Suspicious use of SetWindowsHookEx 63 IoCs
pid Process 2628 BloodEagle Ransomware Builder.exe 2628 BloodEagle Ransomware Builder.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 1632 OpenWith.exe 5092 AcroRd32.exe 5092 AcroRd32.exe 5092 AcroRd32.exe 5092 AcroRd32.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 1412 OpenWith.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe 4100 Winword.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1596 2628 BloodEagle Ransomware Builder.exe 82 PID 2628 wrote to memory of 1596 2628 BloodEagle Ransomware Builder.exe 82 PID 1596 wrote to memory of 2428 1596 csc.exe 84 PID 1596 wrote to memory of 2428 1596 csc.exe 84 PID 5088 wrote to memory of 2640 5088 randsom.exe 90 PID 5088 wrote to memory of 2640 5088 randsom.exe 90 PID 2640 wrote to memory of 5020 2640 svchost.exe 93 PID 2640 wrote to memory of 5020 2640 svchost.exe 93 PID 3972 wrote to memory of 3596 3972 cmd.exe 95 PID 3972 wrote to memory of 3596 3972 cmd.exe 95 PID 5020 wrote to memory of 2384 5020 cmd.exe 96 PID 5020 wrote to memory of 2384 5020 cmd.exe 96 PID 5020 wrote to memory of 3020 5020 cmd.exe 99 PID 5020 wrote to memory of 3020 5020 cmd.exe 99 PID 2640 wrote to memory of 1988 2640 svchost.exe 101 PID 2640 wrote to memory of 1988 2640 svchost.exe 101 PID 1988 wrote to memory of 1980 1988 cmd.exe 103 PID 1988 wrote to memory of 1980 1988 cmd.exe 103 PID 1988 wrote to memory of 1600 1988 cmd.exe 104 PID 1988 wrote to memory of 1600 1988 cmd.exe 104 PID 2640 wrote to memory of 3828 2640 svchost.exe 105 PID 2640 wrote to memory of 3828 2640 svchost.exe 105 PID 3828 wrote to memory of 3296 3828 cmd.exe 107 PID 3828 wrote to memory of 3296 3828 cmd.exe 107 PID 2640 wrote to memory of 2804 2640 svchost.exe 113 PID 2640 wrote to memory of 2804 2640 svchost.exe 113 PID 1632 wrote to memory of 5092 1632 OpenWith.exe 116 PID 1632 wrote to memory of 5092 1632 OpenWith.exe 116 PID 1632 wrote to memory of 5092 1632 OpenWith.exe 116 PID 5092 wrote to memory of 3572 5092 AcroRd32.exe 118 PID 5092 wrote to memory of 3572 5092 AcroRd32.exe 118 PID 5092 wrote to memory of 3572 5092 AcroRd32.exe 118 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 PID 3572 wrote to memory of 1712 3572 RdrCEF.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"C:\Users\Admin\AppData\Local\Temp\BloodEagle Ransomware Builder.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qisu0o5r\qisu0o5r.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99AB.tmp" "c:\Users\Admin\Downloads\CSCBCF70D1D8FDC4900A276367DF7D7740.TMP"3⤵PID:2428
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3852
-
C:\Users\Admin\Downloads\randsom.exe"C:\Users\Admin\Downloads\randsom.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2384
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1980
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3296
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5052
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4676
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1876
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\BackupGroup.wps.ltjo"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BFBA87189E06D39DDD42E9B2C97F99B6 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E210E69703319728FDC8C7CA4AA28EDB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E210E69703319728FDC8C7CA4AA28EDB --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DCDA6575176ED773CF9DA2040B0BC9F7 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15AC8E10DDD6747EA0180984E2E81EF1 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9CFEDDE6840AF80DB24422295A04A783 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:392
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4476
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1412 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\CompleteWrite.asp.21ru"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4100
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
660B
MD5284393596fdd49bebd7b861bf339b82d
SHA1a36767dfc423b3c7fd3ff439b616862743a053c8
SHA2560e692bcbba51ca4e766a427c9f28a7a4a9e326d2cf835493e57a9dc2121326b5
SHA5128d3247ee0c3bf9a9fceea23eb5c646dbd8b3d954f4d62622f49070629e642d6a13bfb0d27949e2355c081d45f5a1101f05a9972782a0f0a478ed90f551d2efeb
-
Filesize
1KB
MD55598b01a8665253fe95ad66be6b53d09
SHA11508d8a98f0a58dea1d3e5a22dfa893cc327b6d1
SHA2560a10f59187541ebd1309da2f4936867d9a89677bb042945f758167a16a74a12c
SHA512e8b903ce3e7e15188d34efc0d0f7f6d517dff0ff9d56026efb4e1882ead1e3bfc7a936767ffde0744fb210467de977ab99b69b3ca3219187356662c26e8d8247
-
Filesize
79B
MD56413ad102498e4a8592066b051a268d8
SHA1c339b85925577dbbb47ff6942b2529047ee7f173
SHA256c8ec265231cd4060657b18ed2f82eec3d8b2d848b5489a1637d35de38fcbd2a1
SHA512f1bdcf021399c26bbd31d13966b0401462cf1c762a7b3d99144fed70f1de07d4b5c744d8058b8707285522c1fb612c099ec5c1a3081a69d5a959bd61a6d4c672
-
Filesize
558KB
MD528b1041898cf6c6deb1e8adc86aca1b5
SHA1ceadf7ec58bf7e57e4159d2d24040fb3e41c9534
SHA2567fb2a4d18cfe0950cadd8778f8d0ea9992da6ba7f952dd36e1a0e2651d5a71f2
SHA512f0df55b6f69c9222774ff61b17e7d4557ce3bcee6af17c5d5ab92eed9717aca7b97ece17cdc27490c90e2d53e7c368fd7a5e2a2a1cd99b8316c8201a66c3e462
-
Filesize
295KB
MD5dc78922ebf12c77b2ca85e4bf4aafffb
SHA1e1df5ffdf4ceac2ad18aec905523d4999a23ab2e
SHA256a65082c7b4ede94c2ad206209ac654a9d66408114ad247194b6b0efa9b7de191
SHA512aca98a562a0f847eff588def473d6f4e714c400ee4c90a30ae1f0a3d216ad1cc7d3a074af76b1999628f0567946cd9f08e17adc9df7c00e5ffa7aa0c92c56b8f
-
Filesize
27KB
MD5a6a8d220516d330abc88077784ca50db
SHA10754ec168914ecb4dd570fd2ae85e2ac25603652
SHA256a27814e7bdeb76eac26b9e481b56becad4a05f89190daa7c813bbbfa586caddb
SHA512c93545c8ccd6845a81c3a4a87e995261989d13c94e0cc4b450008ecce362c99c3be5c3bf98b809259cb75e1a164520b3d37019e500758882fe689a1cf405027c
-
Filesize
595B
MD57cff3b94ef1413349cdf9d4742f9cd77
SHA10569d834acc4a41e0b47bc1d03dcf27430106096
SHA256bb6cdcdbb8d8b17243cce8bc7c9d7eee1872b63313640e5d63c63619712ddd8d
SHA5121425864a3944742df1f4f849455c3224e2ee281b4c19dbc46af180efaaa1fb35dc14ef047faa02ba92e3d8b5a33ad60cc65c7b4ea9e1182a5b91d01e9edd2873
-
Filesize
39KB
MD55d598dbda15b4b0ca301af7eb2b2454a
SHA110a7217852fd05cc9c5b5284919c6dd128780a5e
SHA2560f32e9f5614b5ef95079b35d9280f82b3b3528767f7bc6973100bd0c9cdd5909
SHA5126711d1e3571c03cc238284bf02a4b7d0093ef7ebdaddeed57ddb2d12501ebbd0bb6aa260b08288b6f63ef78df547ff8d913feaac8ad413a03963ce3dcc6bca6d
-
Filesize
391B
MD516e004b6fc124c8a4d34cd70c88ef3af
SHA12c178951fb0fc26d09b14fd99561a652aa002c8f
SHA2561827ff13352673e296842f026bba67ec848d2762a9f81d6730867f4da1858c92
SHA512fa4fc8a62907ca9350e1b5f70d25fc9523af7e62a47bf92dcd67bf2843cfaf92f288902b3636733decddfebfda5c6d42a0c22514d7e27672d29a1bb2698f9774
-
Filesize
1KB
MD504e7ca31f3bbd5f2682977f77c6b3620
SHA16cf227d0eb6c7e758a1356008ad3a87f2be63d20
SHA256da5ca205cd173254e92871ea7359f9ef1b1ae2ab4d4ac12e81456c4c0b5937bc
SHA5120b5aea286f128914d74425574daca7673d58573088c1e4970e9026dc8b9782adda9c8735da905c8f0e369455790d89f126dcf308eaecf95f8414c2af8cd17b66