b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3

General

Target

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
Size

12KB
MD5

4a7378c7ef7a9b72aa2b38019aa6fcdc
SHA1

7e19a75d8a91fa2e4e6e7519609eb8c300a8a030
SHA256

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3
SHA512

8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441

Score

9^/10

ransomware evasion persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

pid	process
1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe

Drops desktop.ini file(s) 33 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2136578390-2771164089-400866267-1000\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8B00.tmp.jpg"	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1168 timeout.exe

pid	process
1168	timeout.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.execmd.exe

description	pid	process	target process
PID 1872 wrote to memory of 3596	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	vssadmin.exe
PID 1872 wrote to memory of 3596	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	vssadmin.exe
PID 1872 wrote to memory of 4092	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 4092	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 2264	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 2264	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 2096	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 2096	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 492	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 492	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1872 wrote to memory of 492	1872	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 492 wrote to memory of 1168	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 1168	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 1168	492	cmd.exe	timeout.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3144 vssvc.exe
Token: SeRestorePrivilege 3144 vssvc.exe
Token: SeAuditPrivilege 3144 vssvc.exe
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3888 bcdedit.exe
3940 bcdedit.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	pid	process
Token: SeBackupPrivilege	3144	vssvc.exe
Token: SeRestorePrivilege	3144	vssvc.exe
Token: SeAuditPrivilege	3144	vssvc.exe

pid	process
3888	bcdedit.exe
3940	bcdedit.exe

Drops file in Program Files directory 22247 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-64.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-30.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLookingUp.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\rock.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lk_60x42.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-us\msointlimm.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-16.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\spiderassets.xml	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.Tests.ps1	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\InkObj.dll.mui	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\WideLogo.scale-125.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-125.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\Logo.scale-150.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\..	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\inlove.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kg_60x42.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sun.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\questfallback.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-200.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\selector.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Become_a_Superstar_.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\lc_16x11.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3596 vssadmin.exe

pid	process
3596	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
"C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:1872

C:\Windows\System32\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3596

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
PID:4092

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3940

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
2⤵
PID:2264

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3888

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
2⤵
PID:2096

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:492