Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZunmmW7pe5.exe

Overview

General Information

Sample Name:ZunmmW7pe5.exe
Analysis ID:626600
MD5:6d87be9212a1a0e92e58e1ed94c589f9
SHA1:19ce538b2597da454abf835cff676c28b8eb66f7
SHA256:c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac
Infos:

Detection

Rook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Rook Ransomware
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is start
  • ZunmmW7pe5.exe (PID: 8072 cmdline: "C:\Users\user\Desktop\ZunmmW7pe5.exe" MD5: 6D87BE9212A1A0E92E58E1ED94C589F9)
    • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cmd.exe (PID: 7756 cmdline: "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet MD5: 9D59442313565C2E0860B88BF32B2277)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • vssadmin.exe (PID: 8152 cmdline: vssadmin.exe delete shadows /all /quiet MD5: 02A10DBF904883B1F8EE9F3CC70F5EB8)
  • cleanup
{"Ransom Note": "-----------Welcome. Again. --------------------\r\n[+]Whats Happen?[+]\r\n\r\nYour files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet.\r\n\r\nBy the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).\r\n\r\n[+] What guarantees?[+]\r\n\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.\r\n\r\nTo check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring.\r\n\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money.\r\n\r\nIf we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services.\r\n\r\nYou have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files.\r\n\r\nPlease use the company email to contact us, otherwise we will not reply.\r\n\r\n[+] How to get access on website?[+] \r\n\r\nYou have two ways:\r\n\r\n1) [Recommended] Using a TOR browser!\r\n\ta) Download and install TOR browser from this site:https://torproject.org/\n\tb) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion\r\n\r\n2) Our mail box:\r\n\ta)rook@onionmail.org\r\n\tb)securityRook@onionmail.org\r\n\tc)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox\r\n------------------------------------------------------------------------------------------------\r\n!!!DANGER!!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.\r\n!!!!!!!\r\n\r\nAGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere.\r\n!!!!!!!\r\n\r\nONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger.\r\n\r\n!!!!!!!\r\n"}
SourceRuleDescriptionAuthorStrings
ZunmmW7pe5.exeMALWARE_Win_BabukDetects Babuk ransomwareditekSHen
  • 0x4c738:$s6: bootsect.bak
  • 0x4cc30:$s7: Can't open file after killHolder
  • 0x4cbd0:$s8: Can't OpenProcess
  • 0x4cd60:$arg4: shares
  • 0x4cd70:$arg5: paths
SourceRuleDescriptionAuthorStrings
Process Memory Space: ZunmmW7pe5.exe PID: 8072JoeSecurity_RookYara detected Rook RansomwareJoe Security
    SourceRuleDescriptionAuthorStrings
    0.2.ZunmmW7pe5.exe.7ff7e3710000.0.unpackMALWARE_Win_BabukDetects Babuk ransomwareditekSHen
    • 0x4d338:$s6: bootsect.bak
    • 0x4d830:$s7: Can't open file after killHolder
    • 0x4d7d0:$s8: Can't OpenProcess
    • 0x4d960:$arg4: shares
    • 0x4d970:$arg5: paths
    0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpackMALWARE_Win_BabukDetects Babuk ransomwareditekSHen
    • 0x4d338:$s6: bootsect.bak
    • 0x4d830:$s7: Can't open file after killHolder
    • 0x4d7d0:$s8: Can't OpenProcess
    • 0x4d960:$arg4: shares
    • 0x4d970:$arg5: paths
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: ZunmmW7pe5.exeAvira: detected
    Source: 0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpackMalware Configuration Extractor: Rook Ransomware {"Ransom Note": "-----------Welcome. Again. --------------------\r\n[+]Whats Happen?[+]\r\n\r\nYour files are encrypted,and currently unavailable. You can check it: all files on you computer has expansion robet.\r\n\r\nBy the way,everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).\r\n\r\n[+] What guarantees?[+]\r\n\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.\r\n\r\nTo check the file capacity, please send 3 files not larger than 1M to us, and we will prove that we are capable of restoring.\r\n\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data,cause just we have the private key. In practise - time is much more valuable than money.\r\n\r\nIf we find that a security vendor or law enforcement agency pretends to be you to negotiate with us, we will directly destroy the private key and no longer provide you with decryption services.\r\n\r\nYou have 3 days to contact us for negotiation. Within 3 days, we will provide a 50% discount. If the discount service is not provided for more than 3 days, the files will be leaked to our onion network. Every more than 3 days will increase the number of leaked files.\r\n\r\nPlease use the company email to contact us, otherwise we will not reply.\r\n\r\n[+] How to get access on website?[+] \r\n\r\nYou have two ways:\r\n\r\n1) [Recommended] Using a TOR browser!\r\n\ta) Download and install TOR browser from this site:https://torproject.org/\n\tb) Open our website:gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion\r\n\r\n2) Our mail box:\r\n\ta)rook@onionmail.org\r\n\tb)securityRook@onionmail.org\r\n\tc)If the mailbox fails or is taken over, please open Onion Network to check the new mailbox\r\n------------------------------------------------------------------------------------------------\r\n!!!DANGER!!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.\r\n!!!!!!!\r\n\r\nAGAIN: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, please should not interfere.\r\n!!!!!!!\r\n\r\nONE MORE TIME: Security vendors and law enforcement agencies, please be aware that attacks on us will make us even stronger.\r\n\r\n!!!!!!!\r\n"}
    Source: ZunmmW7pe5.exeVirustotal: Detection: 79%Perma Link
    Source: ZunmmW7pe5.exeMetadefender: Detection: 27%Perma Link
    Source: ZunmmW7pe5.exeReversingLabs: Detection: 88%
    Source: ZunmmW7pe5.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371DBF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,0_2_00007FF7E371DBF0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ0_2_00007FF7E3711C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ0_2_00007FF7E3711C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E3711C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00007FF7E3711C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E3718FB0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN RSA PUBLIC KEY-----0_2_00007FF7E371CD10
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00007FF7E371CD10
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E372A450
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E372CBB0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E3723330
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ0_2_00007FF7E372A070
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E3715720
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns+j6MRzXXSObIDHYp8SUpB7OViyI5uvY583DQjT6YQBsXdIpcrgQwnfI8JtIrBABATftC2L5CnJkGv7gRTPm+1JY0OlzGcJmZqCHIoLBbGriG7jgBs+9RCqtJ/JP9L1NeS4Hmaan8HCxGVT5ysqIxv1pz0Bw1aoAu2mPzIwy0cl3P5b4CygAbBUuo0_2_00007FF7E372C6A0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4g06WvN+BRr9GeeOkZ4ynnK1uHreCPZyEsc43g3ftVXqsq2Kbdy7Z+XORqxmBi8D5nhDfw3eHRzH8wpcUos3szWKyJLOeKhN6DM5M4FppD8hyuKDTcgsa70Nhapc1Oyjfh3kf3Kc/2CUhnPYEzHefHN3yOq9wxOVGc1S+bcTM3ez8gRuv0fB9ao2bJ0_2_00007FF7E371C710
    Source: ZunmmW7pe5.exeBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
    Source: ZunmmW7pe5.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: z:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: x:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: v:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: t:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: r:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: p:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: n:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: l:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: j:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: h:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: f:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: b:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: y:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: w:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: u:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: s:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: q:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: o:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: m:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: k:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: i:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: g:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: e:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: c:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: a:Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3712C00 RtlAllocateHeap,lstrcpyW,lstrcatW,CreateFileW,lstrlen,WriteFile,CloseHandle,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege,0_2_00007FF7E3712C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37130B0 WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,RtlAllocateHeap,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege,0_2_00007FF7E37130B0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E374313C FindFirstFileExA,0_2_00007FF7E374313C
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\3D Objects\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Jump to behavior
    Source: ZunmmW7pe5.exe, HowToRestoreYourFiles.txt61.0.dr, HowToRestoreYourFiles.txt77.0.dr, HowToRestoreYourFiles.txt73.0.dr, HowToRestoreYourFiles.txt42.0.dr, HowToRestoreYourFiles.txt114.0.dr, HowToRestoreYourFiles.txt108.0.dr, HowToRestoreYourFiles.txt54.0.dr, HowToRestoreYourFiles.txt95.0.dr, HowToRestoreYourFiles.txt5.0.dr, HowToRestoreYourFiles.txt21.0.dr, HowToRestoreYourFiles.txt102.0.dr, HowToRestoreYourFiles.txt69.0.dr, HowToRestoreYourFiles.txt1.0.dr, HowToRestoreYourFiles.txt30.0.dr, HowToRestoreYourFiles.txt66.0.dr, HowToRestoreYourFiles.txt15.0.dr, HowToRestoreYourFiles.txt111.0.dr, HowToRestoreYourFiles.txt22.0.dr, HowToRestoreYourFiles.txt91.0.dr, HowToRestoreYourFiles.txt34.0.drString found in binary or memory: https://torproject.org/

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Source: Yara matchFile source: Process Memory Space: ZunmmW7pe5.exe PID: 8072, type: MEMORYSTR
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quietJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
    Source: ZunmmW7pe5.exeBinary or memory string: /c vssadmin.exe delete shadows /all /quiet
    Source: ZunmmW7pe5.exe, 00000000.00000002.2994795597.00007FF7E374D000.00000080.00000001.01000000.00000000.sdmpBinary or memory string: memtasmepocsvsssqlsvc$veeambackupGxVssGxBlrGxFWDGxCVDGxCIMgrDefWatchccEvtMgrccSetMgrSavRoamRTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorServiceAcrSch2SvcAcronisAgentCASAD2DWebSvcCAARCUpdateSvcsql.exeoracle.exeocssd.exedbsnmp.exevisio.exewinword.exewordpad.exenotepad.exeexcel.exeonenote.exeoutlook.exesynctime.exeagntsvc.exeisqlplussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefox.exetbirdconfig.exemydesktopqos.exeocomm.exedbeng50.exesqbcoreservice.exeinfopath.exemsaccess.exemspub.exepowerpnt.exesteam.exethebat.exethunderbird.exeQ:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\IsWow64Processkernel32.dllWow64DisableWow64FsRedirection/c vssadmin.exe delete shadows /all /quietcmd.exeopenWow64RevertWow64FsRedirection
    Source: ZunmmW7pe5.exe, 00000000.00000000.1645153422.00007FF7E3711000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: memtasmepocsvsssqlsvc$veeambackupGxVssGxBlrGxFWDGxCVDGxCIMgrDefWatchccEvtMgrccSetMgrSavRoamRTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorServiceAcrSch2SvcAcronisAgentCASAD2DWebSvcCAARCUpdateSvcsql.exeoracle.exeocssd.exedbsnmp.exevisio.exewinword.exewordpad.exenotepad.exeexcel.exeonenote.exeoutlook.exesynctime.exeagntsvc.exeisqlplussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefox.exetbirdconfig.exemydesktopqos.exeocomm.exedbeng50.exesqbcoreservice.exeinfopath.exemsaccess.exemspub.exepowerpnt.exesteam.exethebat.exethunderbird.exeQ:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\IsWow64Processkernel32.dllWow64DisableWow64FsRedirection/c vssadmin.exe delete shadows /all /quietcmd.exeopenWow64RevertWow64FsRedirection
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quietJump to behavior
    Source: vssadmin.exe, 00000008.00000002.1705895117.0000027A0F000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quietvssadmin.exe delete shadows /all /quietWinSta0\Default
    Source: vssadmin.exe, 00000008.00000002.1705895117.0000027A0F000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe delete shadows /all /quiet
    Source: vssadmin.exe, 00000008.00000002.1708547648.0000027A0F345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exedeleteshadows/all/quietE
    Source: ZunmmW7pe5.exeBinary or memory string: memtasmepocsvsssqlsvc$veeambackupGxVssGxBlrGxFWDGxCVDGxCIMgrDefWatchccEvtMgrccSetMgrSavRoamRTVscanQBFCServiceQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorServiceAcrSch2SvcAcronisAgentCASAD2DWebSvcCAARCUpdateSvcsql.exeoracle.exeocssd.exedbsnmp.exevisio.exewinword.exewordpad.exenotepad.exeexcel.exeonenote.exeoutlook.exesynctime.exeagntsvc.exeisqlplussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefox.exetbirdconfig.exemydesktopqos.exeocomm.exedbeng50.exesqbcoreservice.exeinfopath.exemsaccess.exemspub.exepowerpnt.exesteam.exethebat.exethunderbird.exeQ:\W:\E:\R:\T:\Y:\U:\I:\O:\P:\A:\S:\D:\F:\G:\H:\J:\K:\L:\Z:\X:\C:\V:\B:\N:\M:\IsWow64Processkernel32.dllWow64DisableWow64FsRedirection/c vssadmin.exe delete shadows /all /quietcmd.exeopenWow64RevertWow64FsRedirection
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile moved: C:\Users\user\Desktop\GNLQNHOLWB\BWETZDQDIB.pdfJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile moved: C:\Users\user\Desktop\GNLQNHOLWB\MOCYNWGDZO.mp3Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile moved: C:\Users\user\Desktop\PWZOQIFCAN\IZMFBFKMEB.pdfJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile moved: C:\Users\user\Desktop\PWZOQIFCAN\UBVUNTSCZJ.mp3Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile moved: C:\Users\user\Desktop\GNLQNHOLWB.jpgJump to behavior

    System Summary

    barindex
    Source: ZunmmW7pe5.exe, type: SAMPLEMatched rule: Detects Babuk ransomware Author: ditekSHen
    Source: 0.2.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPEMatched rule: Detects Babuk ransomware Author: ditekSHen
    Source: 0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPEMatched rule: Detects Babuk ransomware Author: ditekSHen
    Source: ZunmmW7pe5.exe, type: SAMPLEMatched rule: MALWARE_Win_Babuk author = ditekSHen, description = Detects Babuk ransomware
    Source: 0.2.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Babuk author = ditekSHen, description = Detects Babuk ransomware
    Source: 0.0.ZunmmW7pe5.exe.7ff7e3710000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Babuk author = ditekSHen, description = Detects Babuk ransomware
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3711C000_2_00007FF7E3711C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3712C000_2_00007FF7E3712C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37243000_2_00007FF7E3724300
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37139700_2_00007FF7E3713970
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37130B00_2_00007FF7E37130B0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37120700_2_00007FF7E3712070
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37227C00_2_00007FF7E37227C0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3737F200_2_00007FF7E3737F20
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37234B00_2_00007FF7E37234B0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371ACC00_2_00007FF7E371ACC0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37394C00_2_00007FF7E37394C0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371CD100_2_00007FF7E371CD10
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37204600_2_00007FF7E3720460
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E372EC600_2_00007FF7E372EC60
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37313B00_2_00007FF7E37313B0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37363400_2_00007FF7E3736340
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3720AB00_2_00007FF7E3720AB0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E372BAB00_2_00007FF7E372BAB0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37472C00_2_00007FF7E37472C0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371BAF00_2_00007FF7E371BAF0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373DAF80_2_00007FF7E373DAF8
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37382400_2_00007FF7E3738240
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373F9AC0_2_00007FF7E373F9AC
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37219F00_2_00007FF7E37219F0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371D1200_2_00007FF7E371D120
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37169200_2_00007FF7E3716920
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37181500_2_00007FF7E3718150
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37379800_2_00007FF7E3737980
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37361800_2_00007FF7E3736180
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37368B00_2_00007FF7E37368B0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37388D00_2_00007FF7E37388D0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37149000_2_00007FF7E3714900
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3737EF00_2_00007FF7E3737EF0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371A8200_2_00007FF7E371A820
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373A0200_2_00007FF7E373A020
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37358400_2_00007FF7E3735840
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E372F0500_2_00007FF7E372F050
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373D87C0_2_00007FF7E373D87C
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3717FD00_2_00007FF7E3717FD0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3742F300_2_00007FF7E3742F30
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3738F600_2_00007FF7E3738F60
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E371D7800_2_00007FF7E371D780
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3716EA00_2_00007FF7E3716EA0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E372F6A00_2_00007FF7E372F6A0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37306C00_2_00007FF7E37306C0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3731F000_2_00007FF7E3731F00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37166400_2_00007FF7E3716640
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37176500_2_00007FF7E3717650
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37356500_2_00007FF7E3735650
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37386600_2_00007FF7E3738660
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3735E900_2_00007FF7E3735E90
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E374A5A80_2_00007FF7E374A5A8
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37395D00_2_00007FF7E37395D0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3746DF00_2_00007FF7E3746DF0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37375200_2_00007FF7E3737520
    Source: ZunmmW7pe5.exeVirustotal: Detection: 79%
    Source: ZunmmW7pe5.exeMetadefender: Detection: 27%
    Source: ZunmmW7pe5.exeReversingLabs: Detection: 88%
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3711660 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,FindCloseChangeNotification,0_2_00007FF7E3711660
    Source: unknownProcess created: C:\Users\user\Desktop\ZunmmW7pe5.exe "C:\Users\user\Desktop\ZunmmW7pe5.exe"
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quietJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:304:WilStaging_02
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeMutant created: \Sessions\1\BaseNamedObjects\asfgjkl878645165456fa888
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:304:WilStaging_02
    Source: classification engineClassification label: mal100.rans.winEXE@7/291@0/0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: ZunmmW7pe5.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: ZunmmW7pe5.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3711310 LoadLibraryA,GetProcAddress,ShellExecuteW,LoadLibraryA,GetProcAddress,0_2_00007FF7E3711310
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile deleted: c:\users\user\desktop\zunmmw7pe5.exeJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeKey value created or modified: HKEY_CURRENT_USER\Software RookPrivateKeyJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3713970 GetProcessHeap,GetCommandLineW,CommandLineToArgvW,SetProcessShutdownParameters,RtlInitializeCriticalSection,CreateFileW,SHEmptyRecycleBinA,GetSystemInfo,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,RtlAllocateHeap,CreateThread,CreateThread,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,HeapFree,lstrlenW,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrlenW,HeapFree,lstrlenW,OpenMutexA,CreateMutexExA,GetLogicalDrives,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,CloseHandle,CloseHandle,HeapFree,HeapFree,RtlDeleteCriticalSection,CloseHandle,ExitProcess,0_2_00007FF7E3713970
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3712C00 RtlAllocateHeap,lstrcpyW,lstrcatW,CreateFileW,lstrlen,WriteFile,CloseHandle,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege,0_2_00007FF7E3712C00
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37130B0 WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,HeapFree,RtlAcquirePebLock,lstrlenW,RtlAllocateHeap,RtlLeaveCriticalSection,ReleaseSemaphore,RtlAllocateHeap,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,lstrlenW,WideCharToMultiByte,RtlAllocateHeap,lstrlenW,WideCharToMultiByte,GetLastError,HeapFree,RtlReleasePrivilege,0_2_00007FF7E37130B0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E374313C FindFirstFileExA,0_2_00007FF7E374313C
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeAPI call chain: ExitProcess graph end nodegraph_0-17587
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\3D Objects\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeFile opened: C:\Documents and Settings\user\Jump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37403F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7E37403F4
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3711310 LoadLibraryA,GetProcAddress,ShellExecuteW,LoadLibraryA,GetProcAddress,0_2_00007FF7E3711310
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E3713970 GetProcessHeap,GetCommandLineW,CommandLineToArgvW,SetProcessShutdownParameters,RtlInitializeCriticalSection,CreateFileW,SHEmptyRecycleBinA,GetSystemInfo,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,CreateSemaphoreA,CreateSemaphoreA,RtlInitializeCriticalSection,RtlAllocateHeap,RtlAllocateHeap,CreateThread,CreateThread,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,HeapFree,lstrlenW,lstrlenW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrlenW,HeapFree,lstrlenW,OpenMutexA,CreateMutexExA,GetLogicalDrives,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,WaitForSingleObject,WaitForSingleObject,RtlAcquirePebLock,RtlLeaveCriticalSection,ReleaseSemaphore,WaitForMultipleObjects,CloseHandle,CloseHandle,HeapFree,HeapFree,RtlDeleteCriticalSection,CloseHandle,ExitProcess,0_2_00007FF7E3713970
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E37403F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7E37403F4
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E374AB44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7E374AB44
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373B340 SetUnhandledExceptionFilter,0_2_00007FF7E373B340
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373B1A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7E373B1A0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quietJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E374A3F0 cpuid 0_2_00007FF7E374A3F0
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\ZunmmW7pe5.exeCode function: 0_2_00007FF7E373B08C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7E373B08C
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    1
    Replication Through Removable Media
    1
    Native API
    Path Interception11
    Process Injection
    1
    Modify Registry
    OS Credential Dumping1
    System Time Discovery
    1
    Replication Through Removable Media
    11
    Archive Collected Data
    Exfiltration Over Other Network Medium2
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    Data Encrypted for Impact
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
    Process Injection
    LSASS Memory2
    Security Software Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Obfuscated Files or Information
    Security Account Manager2
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Software Packing
    NTDS11
    Peripheral Device Discovery
    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
    File Deletion
    LSA Secrets3
    File and Directory Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials14
    System Information Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 626600