Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
09-03-2020 12:34
Static task
static1
Behavioral task
behavioral1
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win10v200217
General
-
Target
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
-
Size
150KB
-
MD5
5761ee98b1c2fea31b5408516a8929ea
-
SHA1
4d043df23e55088bfc04c14dfb9ddb329a703cc1
-
SHA256
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
-
SHA512
9dbf296719bc130bc700db94fd43985c32cb9de3b1867ed7c8666b62e4b9d0826b6df03cb125644c9338118d9caf679bfa1eb55da39f46b94db023bdcd9ff338
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB0196BF6E823935253B
Signatures
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3092 vssadmin.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3228 bcdedit.exe 3312 bcdedit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7A8A.tmp.bmp" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Set value (str) \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe\"" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-638615289-2068236702-2426684043-1000\desktop.ini 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTakeOwnershipPrivilege 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Token: SeDebugPrivilege 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Token: SeBackupPrivilege 3284 vssvc.exe Token: SeRestorePrivilege 3284 vssvc.exe Token: SeAuditPrivilege 3284 vssvc.exe Token: SeIncreaseQuotaPrivilege 2160 WMIC.exe Token: SeSecurityPrivilege 2160 WMIC.exe Token: SeTakeOwnershipPrivilege 2160 WMIC.exe Token: SeLoadDriverPrivilege 2160 WMIC.exe Token: SeSystemProfilePrivilege 2160 WMIC.exe Token: SeSystemtimePrivilege 2160 WMIC.exe Token: SeProfSingleProcessPrivilege 2160 WMIC.exe Token: SeIncBasePriorityPrivilege 2160 WMIC.exe Token: SeCreatePagefilePrivilege 2160 WMIC.exe Token: SeBackupPrivilege 2160 WMIC.exe Token: SeRestorePrivilege 2160 WMIC.exe Token: SeShutdownPrivilege 2160 WMIC.exe Token: SeDebugPrivilege 2160 WMIC.exe Token: SeSystemEnvironmentPrivilege 2160 WMIC.exe Token: SeRemoteShutdownPrivilege 2160 WMIC.exe Token: SeUndockPrivilege 2160 WMIC.exe Token: SeManageVolumePrivilege 2160 WMIC.exe Token: 33 2160 WMIC.exe Token: 34 2160 WMIC.exe Token: 35 2160 WMIC.exe Token: 36 2160 WMIC.exe Token: SeIncreaseQuotaPrivilege 2160 WMIC.exe Token: SeSecurityPrivilege 2160 WMIC.exe Token: SeTakeOwnershipPrivilege 2160 WMIC.exe Token: SeLoadDriverPrivilege 2160 WMIC.exe Token: SeSystemProfilePrivilege 2160 WMIC.exe Token: SeSystemtimePrivilege 2160 WMIC.exe Token: SeProfSingleProcessPrivilege 2160 WMIC.exe Token: SeIncBasePriorityPrivilege 2160 WMIC.exe Token: SeCreatePagefilePrivilege 2160 WMIC.exe Token: SeBackupPrivilege 2160 WMIC.exe Token: SeRestorePrivilege 2160 WMIC.exe Token: SeShutdownPrivilege 2160 WMIC.exe Token: SeDebugPrivilege 2160 WMIC.exe Token: SeSystemEnvironmentPrivilege 2160 WMIC.exe Token: SeRemoteShutdownPrivilege 2160 WMIC.exe Token: SeUndockPrivilege 2160 WMIC.exe Token: SeManageVolumePrivilege 2160 WMIC.exe Token: 33 2160 WMIC.exe Token: 34 2160 WMIC.exe Token: 35 2160 WMIC.exe Token: 36 2160 WMIC.exe Token: SeBackupPrivilege 2880 wbengine.exe Token: SeRestorePrivilege 2880 wbengine.exe Token: SeSecurityPrivilege 2880 wbengine.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.execmd.exedescription pid process target process PID 3980 wrote to memory of 3812 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 3980 wrote to memory of 3812 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 3980 wrote to memory of 2180 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 3980 wrote to memory of 2180 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 3980 wrote to memory of 2180 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe cmd.exe PID 2180 wrote to memory of 3648 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 3648 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 3648 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 540 2180 cmd.exe fsutil.exe PID 2180 wrote to memory of 540 2180 cmd.exe fsutil.exe PID 2180 wrote to memory of 540 2180 cmd.exe fsutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Modifies control panel 2 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Control Panel\Desktop\WallpaperStyle = "2" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe Set value (str) \REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Control Panel\Desktop\TileWallpaper = "0" 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName vds.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 273 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exepid process 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exepid process 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe 3980 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe -
Processes:
wbadmin.exepid process 3880 wbadmin.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Drops file in Program Files directory 17014 IoCs
Processes:
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated_contrast-white.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Xlate_Init.xsn 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\kiss.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\en-us\osmmui.msi.16_osmmui.mcxml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tk_60x42.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-300.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\remove.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\platform_format.lua 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fr_135x40.svg 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_32x32x32.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\ui-strings.js 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\doc_offline_getconnected.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-125.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxManifest.xml 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\5.rsrc 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-200.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-60.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe\Restore-My-Files.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_20x20x32.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-16.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-400.png 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"1⤵
- Sets desktop wallpaper using registry
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Modifies control panel
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)