Analysis
-
max time kernel
84s -
max time network
56s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
04-05-2020 15:13
Static task
static1
Behavioral task
behavioral1
Sample
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
Resource
win10v200430
General
-
Target
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
-
Size
12KB
-
MD5
4a7378c7ef7a9b72aa2b38019aa6fcdc
-
SHA1
7e19a75d8a91fa2e4e6e7519609eb8c300a8a030
-
SHA256
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3
-
SHA512
8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\!read_me!.txt
garrantydecrypt
azor2020@protonmail.ch
azor@rape.lol
azor2020@jxmpp.jp
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.execmd.exedescription pid process target process PID 736 wrote to memory of 824 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe vssadmin.exe PID 736 wrote to memory of 824 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe vssadmin.exe PID 736 wrote to memory of 824 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe vssadmin.exe PID 736 wrote to memory of 824 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe vssadmin.exe PID 736 wrote to memory of 1768 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1768 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1768 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1768 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1864 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1864 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1864 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1864 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1872 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1872 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1872 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 1872 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 812 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 812 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 812 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 736 wrote to memory of 812 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 812 wrote to memory of 1424 812 cmd.exe timeout.exe PID 812 wrote to memory of 1424 812 cmd.exe timeout.exe PID 812 wrote to memory of 1424 812 cmd.exe timeout.exe PID 812 wrote to memory of 1424 812 cmd.exe timeout.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1040 vssvc.exe Token: SeRestorePrivilege 1040 vssvc.exe Token: SeAuditPrivilege 1040 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exepid process 736 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1424 timeout.exe -
GarrantyDecrypt
Ransomware family first detected in late 2018.
-
Modifies Windows Firewall 1 TTPs
-
Drops desktop.ini file(s) 41 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Music\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZDAW0I3Y\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Music\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Links\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Documents\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Videos\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5Q8AAMSB\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1132 bcdedit.exe 1916 bcdedit.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 10 IoCs
Processes:
vssvc.exenetsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe -
Drops startup file 1 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B0D7.tmp.jpg" b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Drops file in Program Files directory 12087 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLL b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00956_.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\81.0.4044.129\81.0.4044.129_chrome_installer.exe b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.ELM b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\PREVIEW.GIF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00197_.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jre7\bin\prism-d3d.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EST b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Microsoft.Office.InfoPath.FormControl.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\oledbvbs.inc b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jre7\bin\npt.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0151581.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.XML b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\EquityLetter.Dotx b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 824 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
-
C:\Windows\system32\vssadmin.exedelete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service