Analysis
-
max time kernel
139s -
max time network
76s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
18-06-2020 02:08
Static task
static1
Behavioral task
behavioral1
Sample
90a909a4508aa899b4be372e7de6f500.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
90a909a4508aa899b4be372e7de6f500.exe
Resource
win10
General
-
Target
90a909a4508aa899b4be372e7de6f500.exe
-
Size
62KB
-
MD5
90a909a4508aa899b4be372e7de6f500
-
SHA1
7bb201923d7055c149858d087c0a44ab9530536e
-
SHA256
1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8
-
SHA512
57b732ac3827878c81ed45e26001695c42240b6eb16d4c9d0ecd34d41ede0d598983c156a5c22c8a5f79e81437ed308e0414571cda1c0725ab7b2b3ef9f683cf
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt
l1u1t1@secmail.pro
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1464 cmd.exe -
Drops startup file 1 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 90a909a4508aa899b4be372e7de6f500.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1108 vssadmin.exe 744 vssadmin.exe 1508 vssadmin.exe 1520 vssadmin.exe 1856 vssadmin.exe 1488 vssadmin.exe 364 vssadmin.exe 1828 vssadmin.exe 1320 vssadmin.exe 1596 vssadmin.exe 1560 vssadmin.exe 1936 vssadmin.exe 1960 vssadmin.exe 1848 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1852 taskkill.exe 1324 taskkill.exe 1000 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1612 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 828 PING.EXE 1544 PING.EXE 1696 PING.EXE 288 PING.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1312 90a909a4508aa899b4be372e7de6f500.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 1324 taskkill.exe Token: SeDebugPrivilege 1000 taskkill.exe Token: SeBackupPrivilege 2004 vssvc.exe Token: SeRestorePrivilege 2004 vssvc.exe Token: SeAuditPrivilege 2004 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exepid process 1312 90a909a4508aa899b4be372e7de6f500.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exepid process 1312 90a909a4508aa899b4be372e7de6f500.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1312 wrote to memory of 1480 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1480 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1480 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1480 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1312 wrote to memory of 1012 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1012 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1012 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1012 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1312 wrote to memory of 240 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 240 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 240 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 240 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 1312 wrote to memory of 1088 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1088 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1088 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1088 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1312 wrote to memory of 1668 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1668 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1668 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1668 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1312 wrote to memory of 1764 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1764 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1764 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1764 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1312 wrote to memory of 1836 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1836 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1836 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1836 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1312 wrote to memory of 1788 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1788 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1788 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1312 wrote to memory of 1788 1312 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDD91.bat2⤵
-
C:\Windows\SysWOW64\mountvol.exemountvol3⤵
-
C:\Windows\SysWOW64\find.exefind "}\"3⤵
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{ef8b9383-8b17-11ea-a5f6-806e6f6e6963}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{ef8b9387-8b17-11ea-a5f6-806e6f6e6963}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDD91.batMD5
1af2c796c268a8160d0d93e8866dc7b0
SHA16d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f
SHA25694e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8
SHA512af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e
-
C:\Users\Admin\AppData\Local\Temp\v.txtMD5
311279e9ffc5d0b14e0a3e8e1f5e67f7
SHA17035a0280655bb36ca253f9fc83a53fc5d9b14c7
SHA256eb0d4e5629e5316a18c24ab2920f49994e1467d840daa6e2cf5fed89049391cd
SHA51250951d6d2c07ab493e1ebb82b34b219248a6e4f17866ee9b8502fdf96ec2d935f21dc837252cd5bc2362fc10a343da295942a13aa7a9217ce12c0965e1371349
-
C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txtMD5
17828cc72b0df3a528da9436bbd3cfab
SHA164a9536158ea38a81d655651764b68f00bf5e623
SHA256d746e3f79af6c814c5e590881e55f525d9391c71b64297d0e7906888f600730b
SHA5128c357ab0ae373c99762a3771a0ce053453db078531bcd8a7ee191b53e9390f6b3e18282a95beffb78ace61750b3bcb2663d9e6c975157fb5d233e3e1284d0297
-
memory/240-4-0x0000000000000000-mapping.dmp
-
memory/288-109-0x0000000000000000-mapping.dmp
-
memory/300-54-0x0000000000000000-mapping.dmp
-
memory/324-41-0x0000000000000000-mapping.dmp
-
memory/364-82-0x0000000000000000-mapping.dmp
-
memory/368-52-0x0000000000000000-mapping.dmp
-
memory/544-69-0x0000000000000000-mapping.dmp
-
memory/544-1-0x0000000000000000-mapping.dmp
-
memory/568-51-0x0000000000000000-mapping.dmp
-
memory/616-19-0x0000000000000000-mapping.dmp
-
memory/652-16-0x0000000000000000-mapping.dmp
-
memory/744-83-0x0000000000000000-mapping.dmp
-
memory/748-102-0x0000000000000000-mapping.dmp
-
memory/828-99-0x0000000000000000-mapping.dmp
-
memory/836-38-0x0000000000000000-mapping.dmp
-
memory/848-40-0x0000000000000000-mapping.dmp
-
memory/856-32-0x0000000000000000-mapping.dmp
-
memory/864-17-0x0000000000000000-mapping.dmp
-
memory/920-111-0x0000000000000000-mapping.dmp
-
memory/984-18-0x0000000000000000-mapping.dmp
-
memory/1000-78-0x0000000000000000-mapping.dmp
-
memory/1012-2-0x0000000000000000-mapping.dmp
-
memory/1060-70-0x0000000000000000-mapping.dmp
-
memory/1064-42-0x0000000000000000-mapping.dmp
-
memory/1068-5-0x0000000000000000-mapping.dmp
-
memory/1068-73-0x0000000000000000-mapping.dmp
-
memory/1084-68-0x0000000000000000-mapping.dmp
-
memory/1088-6-0x0000000000000000-mapping.dmp
-
memory/1092-108-0x0000000000000000-mapping.dmp
-
memory/1104-34-0x0000000000000000-mapping.dmp
-
memory/1108-81-0x0000000000000000-mapping.dmp
-
memory/1200-33-0x0000000000000000-mapping.dmp
-
memory/1200-66-0x0000000000000000-mapping.dmp
-
memory/1256-56-0x0000000000000000-mapping.dmp
-
memory/1308-65-0x0000000000000000-mapping.dmp
-
memory/1316-20-0x0000000000000000-mapping.dmp
-
memory/1320-86-0x0000000000000000-mapping.dmp
-
memory/1324-77-0x0000000000000000-mapping.dmp
-
memory/1360-9-0x0000000000000000-mapping.dmp
-
memory/1376-44-0x0000000000000000-mapping.dmp
-
memory/1380-45-0x0000000000000000-mapping.dmp
-
memory/1380-75-0x0000000000000000-mapping.dmp
-
memory/1464-113-0x0000000000000000-mapping.dmp
-
memory/1480-0-0x0000000000000000-mapping.dmp
-
memory/1484-35-0x0000000000000000-mapping.dmp
-
memory/1484-100-0x0000000000000000-mapping.dmp
-
memory/1488-89-0x0000000000000000-mapping.dmp
-
memory/1492-67-0x0000000000000000-mapping.dmp
-
memory/1508-90-0x0000000000000000-mapping.dmp
-
memory/1516-53-0x0000000000000000-mapping.dmp
-
memory/1520-91-0x0000000000000000-mapping.dmp
-
memory/1520-7-0x0000000000000000-mapping.dmp
-
memory/1524-43-0x0000000000000000-mapping.dmp
-
memory/1528-74-0x0000000000000000-mapping.dmp
-
memory/1544-101-0x0000000000000000-mapping.dmp
-
memory/1560-88-0x0000000000000000-mapping.dmp
-
memory/1564-58-0x0000000000000000-mapping.dmp
-
memory/1568-59-0x0000000000000000-mapping.dmp
-
memory/1572-37-0x0000000000000000-mapping.dmp
-
memory/1580-36-0x0000000000000000-mapping.dmp
-
memory/1592-22-0x0000000000000000-mapping.dmp
-
memory/1596-87-0x0000000000000000-mapping.dmp
-
memory/1600-57-0x0000000000000000-mapping.dmp
-
memory/1612-106-0x0000000000000000-mapping.dmp
-
memory/1612-3-0x0000000000000000-mapping.dmp
-
memory/1612-39-0x0000000000000000-mapping.dmp
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1616-72-0x0000000000000000-mapping.dmp
-
memory/1620-24-0x0000000000000000-mapping.dmp
-
memory/1624-55-0x0000000000000000-mapping.dmp
-
memory/1624-21-0x0000000000000000-mapping.dmp
-
memory/1636-23-0x0000000000000000-mapping.dmp
-
memory/1636-94-0x0000000000000000-mapping.dmp
-
memory/1640-93-0x0000000000000000-mapping.dmp
-
memory/1668-8-0x0000000000000000-mapping.dmp
-
memory/1676-114-0x0000000000000000-mapping.dmp
-
memory/1696-103-0x0000000000000000-mapping.dmp
-
memory/1764-10-0x0000000000000000-mapping.dmp
-
memory/1768-15-0x0000000000000000-mapping.dmp
-
memory/1768-50-0x0000000000000000-mapping.dmp
-
memory/1784-49-0x0000000000000000-mapping.dmp
-
memory/1788-14-0x0000000000000000-mapping.dmp
-
memory/1792-48-0x0000000000000000-mapping.dmp
-
memory/1816-46-0x0000000000000000-mapping.dmp
-
memory/1824-11-0x0000000000000000-mapping.dmp
-
memory/1828-85-0x0000000000000000-mapping.dmp
-
memory/1828-47-0x0000000000000000-mapping.dmp
-
memory/1836-12-0x0000000000000000-mapping.dmp
-
memory/1844-13-0x0000000000000000-mapping.dmp
-
memory/1848-92-0x0000000000000000-mapping.dmp
-
memory/1852-76-0x0000000000000000-mapping.dmp
-
memory/1856-84-0x0000000000000000-mapping.dmp
-
memory/1888-27-0x0000000000000000-mapping.dmp
-
memory/1892-28-0x0000000000000000-mapping.dmp
-
memory/1896-96-0x0000000000000000-mapping.dmp
-
memory/1896-25-0x0000000000000000-mapping.dmp
-
memory/1900-61-0x0000000000000000-mapping.dmp
-
memory/1908-60-0x0000000000000000-mapping.dmp
-
memory/1928-97-0x0000000000000000-mapping.dmp
-
memory/1932-98-0x0000000000000000-mapping.dmp
-
memory/1936-79-0x0000000000000000-mapping.dmp
-
memory/1948-26-0x0000000000000000-mapping.dmp
-
memory/1960-80-0x0000000000000000-mapping.dmp
-
memory/1968-29-0x0000000000000000-mapping.dmp
-
memory/1972-63-0x0000000000000000-mapping.dmp
-
memory/1980-30-0x0000000000000000-mapping.dmp
-
memory/1984-62-0x0000000000000000-mapping.dmp
-
memory/2028-31-0x0000000000000000-mapping.dmp
-
memory/2032-64-0x0000000000000000-mapping.dmp