Loading ...

Play interactive tourEdit tour

Analysis Report p2h.exe

Overview

General Information

Sample Name:p2h.exe
Analysis ID:251146
MD5:6006725a2daa0b01a4af2fddf58db57b
SHA1:2e9c40f5bc4f7d8c543cf5a93123fc2794f26a6a
SHA256:448f9d5980c6e327d5cf3e3286381df157876c7f4a748a31038d5bee5479c901

Most interesting Screenshot:

Detection

Netwalker
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found ransom note / readme
Yara detected Netwalker ransomware
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes a notice file (html or txt) to demand a ransom
Creates COM task schedule object (often to register a task for autostart)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • p2h.exe (PID: 5004 cmdline: 'C:\Users\user\Desktop\p2h.exe' MD5: 6006725A2DAA0B01A4AF2FDDF58DB57B)
    • vssadmin.exe (PID: 1496 cmdline: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: p2h.exe PID: 5004JoeSecurity_NetwalkerYara detected Netwalker ransomwareJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Machine Learning detection for sampleShow sources
    Source: p2h.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: p2h.exe, 00000000.00000003.823645278.000000003C37F000.00000004.00000001.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: p2h.exe, 00000000.00000003.825900969.000000003A15C000.00000004.00000001.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://corz.org/ip
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
    Source: p2h.exe, 00000000.00000003.918284526.000000003C3F2000.00000004.00000001.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
    Source: p2h.exe, 00000000.00000003.918284526.000000003C3F2000.00000004.00000001.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
    Source: p2h.exe, 00000000.00000003.833206566.000000003A0E0000.00000004.00000001.sdmpString found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://icanhazip.com
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://ip.appspot.com
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://ip.eprci.net/text
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://ip.jsontest.com/
    Source: p2h.exe, 00000000.00000003.833215162.000000003A0E3000.00000004.00000001.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://opensource.org/licenses/bsd-license.php
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://s2.symcb.com0
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://services.packetizer.com/ipaddress/?f=text
    Source: p2h.exe, 00000000.00000003.833233121.000000003A0F2000.00000004.00000001.sdmp, p2h.exe, 00000000.00000003.832988343.000000003A04F000.00000004.00000001.sdmpString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0W
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcd.com0&
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://th.symcb.com/th.crl0
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://th.symcb.com/th.crt0
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://th.symcd.com0&
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://whatthehellismyip.com/?ipraw
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://wtfismyip.com/text
    Source: p2h.exe, 00000000.00000003.1315206008.000000004FD92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoit.de/index.php?page=Thread&postID=48393
    Source: p2h.exe, 00000000.00000003.1187273056.000000004FB63000.00000004.00000001.sdmpString found in binary or memory: http://www.bearcave.com/random_hacks/permute.html
    Source: p2h.exe, 00000000.00000003.1163172906.000000004FB00000.00000004.00000001.sdmpString found in binary or memory: http://www.easyrgb.com/math.php?MATH=M19#text19
    Source: p2h.exe, 00000000.00000003.823608089.000000003C35F000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/
    Source: p2h.exe, 00000000.00000003.833215162.000000003A0E3000.00000004.00000001.sdmpString found in binary or memory: http://www.linuxnet.com
    Source: p2h.exe, 00000000.00000003.826957316.000000003A16A000.00000004.00000001.sdmpString found in binary or memory: http://www.live.com/
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://www.myexternalip.com/raw
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://www.networksecuritytoolkit.org/nst/tools/ip.php
    Source: p2h.exe, 00000000.00000003.833206566.000000003A0E0000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps0(
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/rpa00
    Source: p2h.exe, 00000000.00000003.833233121.000000003A0F2000.00000004.00000001.sdmp, p2h.exe, 00000000.00000003.832988343.000000003A04F000.00000004.00000001.sdmpString found in binary or memory: http://www.tagvault.org/tv_extensions.xsd
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://www.telize.com/ip
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: http://www.trackip.net/ip
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/Public/
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/Public/.
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/cldr/data/.
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/copyright.html.
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: http://www.unicode.org/reports/
    Source: p2h.exe, 00000000.00000003.834575319.000000003C375000.00000004.00000001.sdmpString found in binary or memory: http://www.wikipedia.com/
    Source: p2h.exe, 00000000.00000003.825900969.000000003A15C000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.com/
    Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0
    Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmpString found in binary or memory: https://sourceforge.net/project/?group_id=1519
    Source: A5F447-Readme.txt.0.drString found in binary or memory: https://torproject.org/
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/appendix/SendKeys.htm#KeysList
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/functions/
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/intro/au3check.htm
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords.htm
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords/
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords/comments-start.htm
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/libfunctions/_
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/docs/macros.htm#
    Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/scite/docs/AutoIt3Wrapper.html
    Source: p2h.exe, 00000000.00000003.1271532915.000000004FC20000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/forum/topic/50254-powerpoint-wrapper
    Source: p2h.exe, 00000000.00000003.963873803.000000004F5F2000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/trac/autoit/ticket/3585
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: https://www.thawte.com/cps0/
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpString found in binary or memory: https://www.thawte.com/repository0W
    Source: p2h.exe, 00000000.00000003.968194093.000000004F7C3000.00000004.00000001.sdmpBinary or memory string: _winapi_registerhotkey _winapi_registerpowersettingnotification _winapi_registerrawinputdevices \

    Spam, unwanted Advertisements and Ransom Demands:

    barindex
    Found ransom note / readmeShow sources
    Source: C:\ProgramData\A5F447-Readme.txtDropped file: Hi!Your files are encrypted.All encrypted files for this computer has extension: .a5f447--If for some reason you read this text before the encryption ended,this can be understood by the fact that the computer slows down,and your heart rate has increased due to the ability to turn it off,then we recommend that you move away from the computer and accept that you have been compromised.Rebooting/shutdown will cause you to lose files without the possibility of recovery.--Our encryption algorithms are very strong and your files are very well protected,the only way to get your files back is to cooperate with us and get the decrypter program.Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.Just open our website, upload the encrypted file and get the decrypted file for free.Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--Steps to get access on our website:1.Download and install tor-browser: https://torproject.org/2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionIf the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.Put your personal code in the input form:{code_a5f447:3PsLNNh3dEaKce47X8zi74gg8lCchhmMh+9YetGhFWsALZzULCTi0Qzwr/kMgSIS6iv/FlfucrLkHHLpDeoWPFQJ+dA3YHw11IeSFtuZC7Edlh5Ep3PA7OF3TmpgrJABXgKvbrXuuc2o/jl/3M+COsVmZD/QAOfscG3sLsrDIU+BB4uIiMVSv/MAWQ0rf3VVQiUwMjUD8Ufvbu55n4WMUNUIyV2IT2/5qR1i653sP22D0rCdgsL2GxRgmTppaVM8WP5SzDGcclDU0NYuGPvEFQc4z5uJN249sw==}Jump to dropped file
    Yara detected Netwalker ransomwareShow sources
    Source: Yara matchFile source: Process Memory Space: p2h.exe PID: 5004, type: MEMORY
    Deletes shadow drive data (may be related to ransomware)Show sources
    Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
    Source: C:\Users\user\Desktop\p2h.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quietJump to behavior
    Source: p2h.exe, 00000000.00000003.772434472.0000000000E49000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\Prog
    Source: p2h.exe, 00000000.00000003.770463328.0000000000220000.00000004.00000001.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quietg
    Source: p2h.exe, 00000000.00000003.770463328.0000000000220000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=UMMBDNEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsg
    Source: p2h.exe, 00000000.00000003.771892061.0000000000E49000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=UMMBDNEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
    Source: vssadmin.exe, 00000002.00000002.780739828.000002C470135000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exedeleteshadows/all/quiet
    Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
    Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
    Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
    Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
    Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
    Source: vssadmin.exe, 00000002.00000002.780628594.000002C46FEF0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\Default
    Source: vssadmin.exe, 00000002.00000002.780628594.000002C46FEF0000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
    May disable shadow drive data (uses vssadmin)Show sources
    Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
    Source: C:\Users\user\Desktop\p2h.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quietJump to behavior
    Writes a notice file (html or txt) to demand a ransomShow sources
    Source: C:\Users\user\Desktop\p2h.exeFile dropped: C:\ProgramData\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrdJump to dropped file
    Source: C:\Users\user\Desktop\p2h.exeFile dropped: C:\Program Files (x86)\Free Window Registry Repair\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrdJump to dropped file
    Source: C:\Users\user\Desktop\p2h.exeFile dropped: C:\Program Files (x86)\AutoIt3\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrdJump to dropped file
    Source: C:\Users\user\Desktop\p2h.exeFile dropped: C:\Program Files (x86)\Microsoft Office\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrdJump to dropped file
    Source: p2h.exe, 00000000.00000003.1467421354.000000004FED6000.00000004.00000001.sdmpBinary or memory string: Global Const $FV_ORIGINALFILENAME = "OriginalFilename" vs p2h.exe
    Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGoogleUpdate.exe4 vs p2h.exe
    Source: classification engineClassification label: mal72.rans.winEXE@4/14@0/0
    Source: C:\Users\user\Desktop\p2h.exeFile created: C:\Program Files (x86)\free window registry repair\A5F447-Readme.txtJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
    Source: p2h.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\p2h.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\p2h.exe 'C:\Users\user\Desktop\p2h.exe'
    Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\p2h.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quietJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: p2h.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: C:\Users\user\Desktop\p2h.exeFile created: C:\Documents and Settings\All Users\A5F447-Readme.txtJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeFile created: C:\Program Files (x86)\free window registry repair\A5F447-Readme.txtJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeFile created: C:\Program Files (x86)\autoit3\A5F447-Readme.txtJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeFile created: C:\Program Files (x86)\microsoft office\A5F447-Readme.txtJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\p2h.exe TID: 5028Thread sleep time: -240000s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\p2h.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\p2h.exeProcess token adjusted: DebugJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScheduled Task1Scheduled Task1Process Injection1Masquerading1Input Capture11Virtualization/Sandbox Evasion1Application Deployment SoftwareInput Capture11Data CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
    Replication Through Removable MediaService ExecutionPort MonitorsScheduled Task1Virtualization/Sandbox Evasion1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureSystem Information Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.