Analysis
-
max time kernel
104s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 06:34
Behavioral task
behavioral1
Sample
f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
Resource
win10v2004-20250314-en
General
-
Target
f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
-
Size
181KB
-
MD5
4b61967fdf02be7687b1490e15b9fd68
-
SHA1
fad1ec3f9014432f8bc878c1424c7a7e56d6d729
-
SHA256
f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5
-
SHA512
4cbcbe30b4cbc62268a28c4d711548d56f78b3dc82e1840061d1e0f2ecd8d9316ff5a42108ec7994f63fa0cbd088b0f5375e9f178840e21844bf5eebef7ace24
-
SSDEEP
3072:rB/5U7rXgNoku2TspaCq7IUnQOuDE4cxmphmSkCRgOupmTZ0Nk5TqhpzWJy43UYl:rR5U7rwN02Tyq7IwQO54eMBkwXKmTZQq
Malware Config
Extracted
C:\PerfLogs\readme_for_unlock.txt
https://gdpr-info.eu/
http://z6ig22odfrlgttti64avskvguqpjlmixzzaepm3xn2pmjkare5rjwpid.onion
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2376 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation Host Process for Windows Services -
Deletes itself 1 IoCs
pid Process 5692 sichost.exe -
Executes dropped EXE 2 IoCs
pid Process 7116 Host Process for Windows Services 5692 sichost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\Host Process for Windows Services" Host Process for Windows Services -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Host Process for Windows Services File opened (read-only) \??\O: Host Process for Windows Services File opened (read-only) \??\Q: Host Process for Windows Services File opened (read-only) \??\G: Host Process for Windows Services File opened (read-only) \??\T: Host Process for Windows Services File opened (read-only) \??\R: Host Process for Windows Services File opened (read-only) \??\U: Host Process for Windows Services File opened (read-only) \??\Y: Host Process for Windows Services File opened (read-only) \??\K: Host Process for Windows Services File opened (read-only) \??\B: Host Process for Windows Services File opened (read-only) \??\F: Host Process for Windows Services File opened (read-only) \??\N: Host Process for Windows Services File opened (read-only) \??\I: Host Process for Windows Services File opened (read-only) \??\X: Host Process for Windows Services File opened (read-only) \??\M: Host Process for Windows Services File opened (read-only) \??\V: Host Process for Windows Services File opened (read-only) \??\W: Host Process for Windows Services File opened (read-only) \??\Z: Host Process for Windows Services File opened (read-only) \??\S: Host Process for Windows Services File opened (read-only) \??\A: Host Process for Windows Services File opened (read-only) \??\J: Host Process for Windows Services File opened (read-only) \??\L: Host Process for Windows Services File opened (read-only) \??\P: Host Process for Windows Services -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Desktop\Wallpaper = "c:\\programdata\\wallpaper.bmp" Host Process for Windows Services -
resource yara_rule behavioral2/memory/3288-0-0x00000000002C0000-0x000000000030A000-memory.dmp upx behavioral2/files/0x0045000000023a6e-744.dat upx behavioral2/memory/7116-745-0x0000000000CA0000-0x0000000000CD7000-memory.dmp upx behavioral2/files/0x00100000000240d9-753.dat upx behavioral2/memory/5692-754-0x0000000000550000-0x000000000056F000-memory.dmp upx behavioral2/memory/3288-764-0x00000000002C0000-0x000000000030A000-memory.dmp upx behavioral2/memory/5692-772-0x0000000000550000-0x000000000056F000-memory.dmp upx behavioral2/memory/7116-774-0x0000000000CA0000-0x0000000000CD7000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\hy.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\nl.txt.crYpt Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\vi.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\uk.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\fi.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\lv.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt.crYpt Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\pt.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui Host Process for Windows Services File opened for modification C:\Program Files\CompleteResume.dotx Host Process for Windows Services File created C:\Program Files\Common Files\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\bg.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui Host Process for Windows Services File created C:\Program Files\Common Files\System\de-DE\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\Triedit\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\cs.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\7zCon.sfx Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\readme_for_unlock.txt Host Process for Windows Services File created C:\Program Files\Common Files\System\msadc\ja-JP\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\ar.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\eo.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\ko.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\fur.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml Host Process for Windows Services File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\readme_for_unlock.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.crYpt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\hi.txt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\ast.txt Host Process for Windows Services File opened for modification C:\Program Files\7-Zip\Lang\hr.txt.crYpt Host Process for Windows Services File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui Host Process for Windows Services -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskpart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Host Process for Windows Services Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sichost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskpart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language diskpart.exe -
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_MSFT&PROD_VIRTUAL_DISK\2&1F4ADFFE&0&000003 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_MSFT&PROD_VIRTUAL_DISK\2&1F4ADFFE&0&000003 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\ConfigFlags vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_MSFT&PROD_VIRTUAL_DISK\2&1F4ADFFE&0&000003 vds.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4768 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Desktop\WallpaperStyle = "Center" Host Process for Windows Services Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\Desktop\TileWallpaper = "0" Host Process for Windows Services -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services 7116 Host Process for Windows Services -
Suspicious behavior: LoadsDriver 1 IoCs
pid 4 -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe Token: SeIncBasePriorityPrivilege 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe Token: SeManageVolumePrivilege 2252 vds.exe Token: SeManageVolumePrivilege 2252 vds.exe Token: SeIncBasePriorityPrivilege 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe Token: SeIncBasePriorityPrivilege 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe Token: SeIncBasePriorityPrivilege 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe Token: SeDebugPrivilege 7116 Host Process for Windows Services Token: SeBackupPrivilege 1776 vssvc.exe Token: SeRestorePrivilege 1776 vssvc.exe Token: SeAuditPrivilege 1776 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3288 wrote to memory of 3056 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 86 PID 3288 wrote to memory of 3056 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 86 PID 3288 wrote to memory of 3056 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 86 PID 3288 wrote to memory of 3528 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 97 PID 3288 wrote to memory of 3528 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 97 PID 3288 wrote to memory of 3528 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 97 PID 3288 wrote to memory of 7116 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 102 PID 3288 wrote to memory of 7116 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 102 PID 3288 wrote to memory of 7116 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 102 PID 3288 wrote to memory of 5692 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 103 PID 3288 wrote to memory of 5692 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 103 PID 3288 wrote to memory of 5692 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 103 PID 3288 wrote to memory of 5208 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 104 PID 3288 wrote to memory of 5208 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 104 PID 3288 wrote to memory of 5208 3288 f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe 104 PID 7116 wrote to memory of 6084 7116 Host Process for Windows Services 109 PID 7116 wrote to memory of 6084 7116 Host Process for Windows Services 109 PID 7116 wrote to memory of 2376 7116 Host Process for Windows Services 111 PID 7116 wrote to memory of 2376 7116 Host Process for Windows Services 111 PID 7116 wrote to memory of 2376 7116 Host Process for Windows Services 111 PID 6084 wrote to memory of 4768 6084 cmd.exe 113 PID 6084 wrote to memory of 4768 6084 cmd.exe 113 -
System policy modification 1 TTPs 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableChangePassword = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableTaskMgr = "1" Host Process for Windows Services Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SYSTEM Host Process for Windows Services Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\EXPLORER Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSwitchUser = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoLogoff = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoClose = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\StartMenuLogOff = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableSwitchUser = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideFastUserSwitching = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Host Process for Windows Services Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" Host Process for Windows Services -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe"C:\Users\Admin\AppData\Local\Temp\f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\diskpart.exediskpart /s C:\ProgramData\kD1aE.tmp2⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
C:\Windows\SysWOW64\diskpart.exediskpart /s C:\ProgramData\kD1aE.tmp2⤵
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\ProgramData\Host Process for Windows Services"C:\ProgramData\Host Process for Windows Services"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:7116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4768
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
C:\ProgramData\sichost.exeC:\ProgramData\sichost.exe C:\Users\Admin\AppData\Local\Temp\f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5692
-
-
C:\Windows\SysWOW64\diskpart.exediskpart /s C:\ProgramData\kD1aE.tmp2⤵
- System Location Discovery: System Language Discovery
PID:5208
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1384
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5068
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:6016
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2580
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d8e863955a2afad6b297de25aa1e34a8
SHA19d960ad303b8925f684c2516e014221c462c8d74
SHA256bd2668828c480746dd8d6270efa1eab91416ad07ccf7bf58b0c1e6dda2e0a707
SHA512fa5698a78210357e859123e6d7c54348a7f78c605104ad9fb82b41fe69ee510fa1905290d1d4ffd8e94ee16d3e9f401a8c63b902bc3688a4bbcf94d884650ed7
-
Filesize
69KB
MD5f17d7475ae143611c98e3eb03d3911ef
SHA1b98367f0d97faf9b7d1002d46637ce4bc57d9a5b
SHA256827baf5be98a693f923c055ba9950ec3437a244abb9bd0a4e794add298bff087
SHA5124dfe335b8a1be3c2c71b0d4a43b3f004b3e29eba8491e0a5f98b4fe5b8a14d787ca6f8a6997ca845e0b95c7110fecaab94907c217fce4ca1622cab9b256dbb2a
-
Filesize
16.0MB
MD5449a62bf153f4fb72e2ee7a86c774b45
SHA1efe19f472d460d7210e568e3443e164fd1f51855
SHA256c902ce599db4134b17ac52a817c04b5a60cc587f983b3517b97c58634c13cc18
SHA512c7198185e0f2bd2502cb3c24fc870fb621b8d421c5f00397f180b145035292ccb4900b17948cd5a166be39e5dc584bc9f22216ae050c20e87d44da485e820d18
-
Filesize
34B
MD54eb9ba2b74923cfdd5bf1b7d361916c8
SHA138bb5cd2e7c48a369d7e73852749bac403165519
SHA2560977e976a701e82d9d4f1f1b1eaf8a495e1bd92cc33a86a398d0bd536d86a73a
SHA512be4227c1d478476813f164b8e5389d46be10877839530e85e0ab51f744f6006810823751e5ec08ad345298c966082f48a36f0aa6ba12d47522bde95176cf203d
-
Filesize
132B
MD540525e4d5526164ffeeefb2e335c869e
SHA1855aea5785873f5b13605de8765d94edf62143f7
SHA25682350eee2b0b078b4dd06fee1242d227cb9bc4a5a61d01ee42161d8c8e1efc80
SHA512b5334c2d1f8713f4316673754f112ae59d2b8854aada64380888cb40323927862b753ba40691f0923c8e70c7b624cf3cd315be7e84bf8202c293f2f71c02afcf
-
Filesize
43KB
MD5e6a8f3973380e37f13fc76a9d27e79ca
SHA124bd0e0662f0dca89698c1323268f15d30d36d96
SHA256092d4fe86aec6c3a44499e7539e88e50a31b451250e53847d0ab23d116a7cd8e
SHA512b5afbc690962fdfb9469a4bc96404e629c097b5bb60627f830e2a00879625e75590e3f3c2bbff7765d701d0d61481c49769c0d36fe74182027555444ae2f2534