Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2025, 15:18
Behavioral task
behavioral1
Sample
1.exe
Resource
win10v2004-20250502-en
General
-
Target
1.exe
-
Size
434KB
-
MD5
188aa2b0c254f454088aa765b6b2030a
-
SHA1
9bae9a01368f4dba20c9ba2c09a986e6cf86a083
-
SHA256
99067d26b7cc568c78e595aa1e0eed2e2f29a421612f0d30ddece76d1095acd5
-
SHA512
8e1306df263c7562ac72c274acace34a307b159e7c83fd2cd612ac8a08b3bd7473a663e6e4de13220b1fcf1d4c4db574376a9ffede66cfbcca06479c0a174dfb
-
SSDEEP
12288:IP2zDtZ+Te8iKLRkRXXxrdofYM3r3xRMZg5w1+B+:IP2L+TNKxheASNR4
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1.exe -
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation 1.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C8EE3CFE1CE57604C03F717C9A7CBF28.exe 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C8EE3CFE1CE57604C03F717C9A7CBF28.exe 1.exe -
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\users\admin\searches\desktop.ini 1.exe File opened for modification C:\users\public\music\desktop.ini 1.exe File opened for modification C:\users\admin\3d objects\desktop.ini 1.exe File opened for modification C:\users\admin\favorites\desktop.ini 1.exe File opened for modification C:\users\admin\links\desktop.ini 1.exe File opened for modification C:\users\admin\pictures\saved pictures\desktop.ini 1.exe File opened for modification C:\users\admin\saved games\desktop.ini 1.exe File opened for modification C:\users\public\pictures\desktop.ini 1.exe File opened for modification C:\users\public\videos\desktop.ini 1.exe File opened for modification C:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini 1.exe File opened for modification C:\users\admin\contacts\desktop.ini 1.exe File opened for modification C:\users\admin\documents\desktop.ini 1.exe File opened for modification C:\users\admin\music\desktop.ini 1.exe File opened for modification C:\users\admin\onedrive\desktop.ini 1.exe File opened for modification C:\users\admin\pictures\camera roll\desktop.ini 1.exe File opened for modification C:\users\public\desktop\desktop.ini 1.exe File opened for modification C:\users\public\documents\desktop.ini 1.exe File opened for modification C:\program files\desktop.ini 1.exe File opened for modification C:\users\admin\downloads\desktop.ini 1.exe File opened for modification C:\users\admin\favorites\links\desktop.ini 1.exe File opened for modification C:\users\admin\videos\desktop.ini 1.exe File opened for modification C:\users\public\accountpictures\desktop.ini 1.exe File opened for modification C:\users\public\desktop.ini 1.exe File opened for modification C:\users\public\downloads\desktop.ini 1.exe File opened for modification C:\users\public\libraries\desktop.ini 1.exe File opened for modification C:\program files (x86)\desktop.ini 1.exe File opened for modification C:\users\admin\desktop\desktop.ini 1.exe File opened for modification C:\users\admin\pictures\desktop.ini 1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 1.exe File opened (read-only) \??\W: 1.exe File opened (read-only) \??\R: 1.exe File opened (read-only) \??\T: 1.exe File opened (read-only) \??\Y: 1.exe File opened (read-only) \??\P: 1.exe File opened (read-only) \??\Z: 1.exe File opened (read-only) \??\M: 1.exe File opened (read-only) \??\E: 1.exe File opened (read-only) \??\U: 1.exe File opened (read-only) \??\I: 1.exe File opened (read-only) \??\S: 1.exe File opened (read-only) \??\G: 1.exe File opened (read-only) \??\N: 1.exe File opened (read-only) \??\Q: 1.exe File opened (read-only) \??\A: 1.exe File opened (read-only) \??\H: 1.exe File opened (read-only) \??\X: 1.exe File opened (read-only) \??\V: 1.exe File opened (read-only) \??\O: 1.exe File opened (read-only) \??\J: 1.exe File opened (read-only) \??\K: 1.exe File opened (read-only) \??\L: 1.exe File opened (read-only) \??\B: 1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\C8EE3CFE1CE57604C03F717C9A7CBF28.bmp" 1.exe -
resource yara_rule behavioral1/memory/5372-0-0x0000000000260000-0x0000000000389000-memory.dmp upx behavioral1/memory/5372-9106-0x0000000000260000-0x0000000000389000-memory.dmp upx behavioral1/memory/5372-9135-0x0000000000260000-0x0000000000389000-memory.dmp upx behavioral1/memory/5372-14852-0x0000000000260000-0x0000000000389000-memory.dmp upx behavioral1/memory/5372-14853-0x0000000000260000-0x0000000000389000-memory.dmp upx behavioral1/memory/5372-14859-0x0000000000260000-0x0000000000389000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\contrast-black\badgelogo.scale-200_contrast-black.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\windowsicons\windowscameraapplist.contrast-white_targetsize-80.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxmailbadge.scale-400.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\contrast-black\applist.scale-100_contrast-black.png 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-256_altform-unplated_contrast-white.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\applist.targetsize-60_contrast-black.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\outlookmailmediumtile.scale-400.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxa-google.scale-100.png 1.exe File created C:\program files\windowsapps\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\widetile.scale-200.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\widetile.scale-150.png 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.windowsfeedbackhub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\insiderhubmedtile.scale-125_contrast-black.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.webpimageextension_1.0.22753.0_x64__8wekyb3d8bbwe\assets\contrast-black\storelogo.scale-125_contrast-black.png 1.exe File created C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\home\rtl\contrast-black\#HowToRecover.txt 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_sendforsignature_18.svg 1.exe File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\onenotesmalltile.scale-200.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\outlookmailbadge.scale-200.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\traffichub\contrast-black\smalltile.scale-100.png 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\#HowToRecover.txt 1.exe File created C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\common.view.uwp\strings\hr-hr\view3d\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.microsoftstickynotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri 1.exe File opened for modification C:\program files\windowsapps\microsoft.people_10.1902.633.0_x64__8wekyb3d8bbwe\assets\contrast-white\peoplemedtile.scale-200.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\exchangebadge.scale-125.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\assets\gamesxboxhubapplist.targetsize-36_contrast-high.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\powerpointr_trial-ul-oob.xrm-ms 1.exe File opened for modification C:\program files\windowsapps\deletedalluserpackages\microsoft.gethelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\tinytile.scale-125_contrast-white.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.net.native.runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\appxsignature.p7x 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-60_contrast-white.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\secondarytiles\directions\place\ltr\contrast-white\widetile.scale-200.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\applist.targetsize-96_altform-lightunplated.png 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\root\#HowToRecover.txt 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\sv-se\playstore_icon.svg 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\access2019r_oem_perp-ppd.xrm-ms 1.exe File opened for modification C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\contrast-black\mixedrealityportalstorelogo.scale-100_contrast-black.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\assets\background_roomtracing_04.jpg 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\emptyshare.scale-100.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.microsoftsolitairecollection_4.4.8204.0_x64__8wekyb3d8bbwe\win10\splashscreen.scale-100.png 1.exe File created C:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\#HowToRecover.txt 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\nb-no\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\onenote_strings.js 1.exe File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\onenoteapplist.scale-100.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\home\rtl\contrast-white\widetile.scale-100.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.mspaint_6.1907.29027.0_x64__8wekyb3d8bbwe\assets\images\stickers\sticker_cloud.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\applist.scale-100.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\hxcalendarapplist.scale-125.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\ja-jp\#HowToRecover.txt 1.exe File created C:\program files\videolan\vlc\locale\de\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\onenotesplashlogo.scale-150.png 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxa-advanced-dark.scale-150.png 1.exe File opened for modification C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\ja-jp\appstore_icon.svg 1.exe File opened for modification C:\program files\java\jdk-1.8\jre\lib\amd64\jvm.cfg 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\skypeforbusinessr_grace-ul-oob.xrm-ms 1.exe File opened for modification C:\program files\microsoft office\root\licenses16\visiopromsdnr_retail-pl.xrm-ms 1.exe File opened for modification C:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\7.jpg 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\attachmentplaceholder-dark.png 1.exe File created C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\images\themes\dark\#HowToRecover.txt 1.exe File opened for modification C:\program files\microsoft office\root\office16\1033\winword_col.hxt 1.exe File created C:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\appxmetadata\#HowToRecover.txt 1.exe File opened for modification C:\program files\windowsapps\microsoft.windowscalculator_10.1906.55.0_x64__8wekyb3d8bbwe\winmetadata\microsoft.ui.xaml.winmd 1.exe File created C:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\directions\place\ltr\#HowToRecover.txt 1.exe File opened for modification C:\program files\7-zip\lang\tr.txt 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1436 cmd.exe 5504 PING.EXE -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\TileWallpaper = "0" 1.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1cxz\DefaultIcon\ = "C:\\ProgramData\\C8EE3CFE1CE57604C03F717C9A7CBF28.ico" 1.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings 1.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5504 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5372 1.exe 5372 1.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeRestorePrivilege 5372 1.exe Token: SeTakeOwnershipPrivilege 5372 1.exe Token: SeIncreaseQuotaPrivilege 5420 WMIC.exe Token: SeSecurityPrivilege 5420 WMIC.exe Token: SeTakeOwnershipPrivilege 5420 WMIC.exe Token: SeLoadDriverPrivilege 5420 WMIC.exe Token: SeSystemProfilePrivilege 5420 WMIC.exe Token: SeSystemtimePrivilege 5420 WMIC.exe Token: SeProfSingleProcessPrivilege 5420 WMIC.exe Token: SeIncBasePriorityPrivilege 5420 WMIC.exe Token: SeCreatePagefilePrivilege 5420 WMIC.exe Token: SeBackupPrivilege 5420 WMIC.exe Token: SeRestorePrivilege 5420 WMIC.exe Token: SeShutdownPrivilege 5420 WMIC.exe Token: SeDebugPrivilege 5420 WMIC.exe Token: SeSystemEnvironmentPrivilege 5420 WMIC.exe Token: SeRemoteShutdownPrivilege 5420 WMIC.exe Token: SeUndockPrivilege 5420 WMIC.exe Token: SeManageVolumePrivilege 5420 WMIC.exe Token: 33 5420 WMIC.exe Token: 34 5420 WMIC.exe Token: 35 5420 WMIC.exe Token: 36 5420 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 5372 wrote to memory of 5040 5372 1.exe 88 PID 5372 wrote to memory of 5040 5372 1.exe 88 PID 5372 wrote to memory of 5040 5372 1.exe 88 PID 5372 wrote to memory of 4196 5372 1.exe 90 PID 5372 wrote to memory of 4196 5372 1.exe 90 PID 5372 wrote to memory of 4196 5372 1.exe 90 PID 5372 wrote to memory of 4092 5372 1.exe 92 PID 5372 wrote to memory of 4092 5372 1.exe 92 PID 5372 wrote to memory of 4092 5372 1.exe 92 PID 5372 wrote to memory of 3476 5372 1.exe 94 PID 5372 wrote to memory of 3476 5372 1.exe 94 PID 5372 wrote to memory of 3476 5372 1.exe 94 PID 3476 wrote to memory of 5420 3476 cmd.exe 97 PID 3476 wrote to memory of 5420 3476 cmd.exe 97 PID 3476 wrote to memory of 5420 3476 cmd.exe 97 PID 5372 wrote to memory of 4316 5372 1.exe 99 PID 5372 wrote to memory of 4316 5372 1.exe 99 PID 5372 wrote to memory of 4316 5372 1.exe 99 PID 5372 wrote to memory of 3112 5372 1.exe 101 PID 5372 wrote to memory of 3112 5372 1.exe 101 PID 5372 wrote to memory of 3112 5372 1.exe 101 PID 5372 wrote to memory of 1436 5372 1.exe 106 PID 5372 wrote to memory of 1436 5372 1.exe 106 PID 5372 wrote to memory of 1436 5372 1.exe 106 PID 1436 wrote to memory of 5504 1436 cmd.exe 108 PID 1436 wrote to memory of 5504 1436 cmd.exe 108 PID 1436 wrote to memory of 5504 1436 cmd.exe 108 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Your computer is encrypted" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "We encrypted and stolen all of your files.\r\r\nOpen #HowToRecover.txt and follow the instructions to recover your files.\r\r\nYour ID: C8EE3CFE1CE57604C03F717C9A7CBF28" 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
PID:5040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
- System Location Discovery: System Language Discovery
PID:4196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:4092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5420
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\dotnet\#HowToRecover.txt2⤵
- System Location Discovery: System Language Discovery
PID:3112
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" (/c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5504
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD565aa265fdd130539d06c1058297be2fd
SHA1f1bec6fed783a32d3ff263870dc8a0375276631b
SHA2566ff0ae3d3e1ff25b063d5fd40b5c78d2c598203d6965a3accd360890911c3b78
SHA512570ef02d882b2d2556ab92d5bd7f4a2a64aa3aefbde7dcbed7c4618d96350fd88a28ba2e5f94921a4523ee0722c1b823173c8c172790afa80da8782a4f4e9021