Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-05-2020 15:13
Static task
static1
Behavioral task
behavioral1
Sample
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
Resource
win10v200430
General
-
Target
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
-
Size
12KB
-
MD5
4a7378c7ef7a9b72aa2b38019aa6fcdc
-
SHA1
7e19a75d8a91fa2e4e6e7519609eb8c300a8a030
-
SHA256
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3
-
SHA512
8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\!read_me!.txt
garrantydecrypt
azor2020@protonmail.ch
azor@rape.lol
azor2020@jxmpp.jp
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3184 bcdedit.exe 3020 bcdedit.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies Windows Firewall 1 TTPs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.execmd.exedescription pid process target process PID 1356 wrote to memory of 1504 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe vssadmin.exe PID 1356 wrote to memory of 1504 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe vssadmin.exe PID 1356 wrote to memory of 2464 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 2464 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 2604 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 2604 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 2676 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 2676 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 3788 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 3788 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 1356 wrote to memory of 3788 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe cmd.exe PID 3788 wrote to memory of 252 3788 cmd.exe timeout.exe PID 3788 wrote to memory of 252 3788 cmd.exe timeout.exe PID 3788 wrote to memory of 252 3788 cmd.exe timeout.exe -
GarrantyDecrypt
Ransomware family first detected in late 2018.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 22537 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gl_16x11.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\da_get.svg b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-125_contrast-black.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\CamMDL2.ttf b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\pipres.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.129\Locales\pt-BR.pak b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-150.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF@3x.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_24x24x32.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-150.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-40.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\LightGray.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files (x86)\Google\Chrome\Application\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_uk.dll b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\81.0.4044.129\81.0.4044.129_chrome_installer.exe b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-180.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-200.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\LockScreenBadgeLogo.scale-200.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\it_60x42.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\x-none\DCF.x-none.msi.16_mondoww.mcxml b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-20_altform-unplated.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareMainPage.xaml b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5664_24x24x32.png b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E35.tmp.jpg" b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 252 timeout.exe -
Drops desktop.ini file(s) 33 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Links\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Documents\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Videos\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Music\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Music\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exepid process 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe 1356 b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops startup file 1 IoCs
Processes:
b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!read_me!.txt b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1504 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
-
C:\Windows\System32\vssadmin.exedelete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken