c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72

General

Target

IRSdeclaration‮cod.exe
Size

282KB
MD5

fe3fd53ddc7c229b1150d970a05947c0
SHA1

3abeddbbbd29310290955cc7c1a895550c92ab96
SHA256

c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72
SHA512

8b94e67f48f90d7a0e463a7623ba6f87a5f4108f33587c8f579f29aa3c9b0a22f7e134470824d25dccb552bfc868b18cd3f05ef09aaceef2bab6984c21f203b4

Score

9^/10

ransomware persistence

Malware Config

Signatures

Drops file in Program Files directory 16976 IoCs

Processes:

IRSdeclaration‮cod.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\winlogo.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-150.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\ui-strings.js	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\AppxManifest.xml	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Cert_16.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Preview\RelivePreviewControl.xaml	IRSdeclaration‮cod.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js	IRSdeclaration‮cod.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppStoreLogo.scale-200.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-unplated_contrast-white.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-right.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxManifest.xml	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\grmarble.jpg	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\11c.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\hu_get.svg	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7da.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\12h.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg	IRSdeclaration‮cod.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-200.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css	IRSdeclaration‮cod.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-visual.jar	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsyml.ttf	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_11d.png	IRSdeclaration‮cod.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-80.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	IRSdeclaration‮cod.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar	IRSdeclaration‮cod.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\1713C2-Readme.txt	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ht_16x11.png	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ProductCascadeJDA27ptsWithLbfLowend.mdl	IRSdeclaration‮cod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-400.png	IRSdeclaration‮cod.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

IRSdeclaration‮cod.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4000	IRSdeclaration‮cod.exe
Token: SeImpersonatePrivilege	4000	IRSdeclaration‮cod.exe
Token: SeBackupPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2916	vssvc.exe
Token: SeAuditPrivilege	2916	vssvc.exe
Token: SeDebugPrivilege	5752	taskkill.exe

Suspicious behavior: EnumeratesProcesses 18202 IoCs

Processes:

IRSdeclaration‮cod.exe

pid	process
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe
4000	IRSdeclaration‮cod.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

IRSdeclaration‮cod.execmd.exe

description	pid	process	target process
PID 4000 wrote to memory of 4020	4000	IRSdeclaration‮cod.exe	vssadmin.exe
PID 4000 wrote to memory of 4020	4000	IRSdeclaration‮cod.exe	vssadmin.exe
PID 4000 wrote to memory of 5288	4000	IRSdeclaration‮cod.exe	notepad.exe
PID 4000 wrote to memory of 5288	4000	IRSdeclaration‮cod.exe	notepad.exe
PID 4000 wrote to memory of 5288	4000	IRSdeclaration‮cod.exe	notepad.exe
PID 4000 wrote to memory of 6728	4000	IRSdeclaration‮cod.exe	cmd.exe
PID 4000 wrote to memory of 6728	4000	IRSdeclaration‮cod.exe	cmd.exe
PID 4000 wrote to memory of 6728	4000	IRSdeclaration‮cod.exe	cmd.exe
PID 6728 wrote to memory of 5752	6728	cmd.exe	taskkill.exe
PID 6728 wrote to memory of 5752	6728	cmd.exe	taskkill.exe
PID 6728 wrote to memory of 5752	6728	cmd.exe	taskkill.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5752 taskkill.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4020 vssadmin.exe

pid	process
5752	taskkill.exe

pid	process
4020	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe
"C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4020

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1713C2-Readme.txt"
2⤵
PID:5288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6711.tmp.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:6728

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4000
3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:5752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6711.tmp.bat

Download Submit
C:\Users\Admin\Desktop\1713C2-Readme.txt

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads