garrantydecrypt | b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3

General

Target

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
Size

12KB
MD5

4a7378c7ef7a9b72aa2b38019aa6fcdc
SHA1

7e19a75d8a91fa2e4e6e7519609eb8c300a8a030
SHA256

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3
SHA512

8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441

Score

10^/10

ransomware evasion garrantydecrypt spyware persistence

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\!read_me!.txt

Family

garrantydecrypt

Ransom Note

Do you want to return your files? Write to our email: azor2020@protonmail.ch azor@rape.lol Or contact us via jabber azor2020@jxmpp.jp Jabber (Pidgin) client installation instructions, you can find on youtube https://www.youtube.com/results?search_query=pidgin+jabber+install ICQ: @azor2020 !!!Any of your attempts to return files will result in complete loss of the database!!! tell your unique ID RB3Vw6N+wzycFELtbbqS0OibTLenhMcPyO+m/uLNleUf6iUSAs4RytgBeU2goZiIl74gHPg0QBTJFOnmWMJ69lGa7vwJPdk5Q6kfMWsmURe6dYEnlF36Zmxg22CGQRZho064AQn5TZ1k8Q3UQuhLWwRdQxdJ2IJYmEviG9NQR0qwZ8oGYbI1Ys7KCURQP5daiW54OjyZ3TgJ9bW5GYw7MoYiAFcrme+0TRx+mxncJQXM4cdwiElMuXXkSbDxdo5OYGTPuWa20AmPwwN+2VoUrQ/NQqUw9Cqsxy597TMZpOwMYQ8Wq6liSo+6XuS1NmCh5yrnp2sujNsxbMsLS1lhvEiYxJ1Sjh2+WXi8UYCcOIKwGO0nve70NtTIiE5NEAEry81wmnfZn3B24tVzlZwiG79TYC6FiPlG3qA0njuMeYLdx7mLyGEVCpwv2bPUVJ4UQF+taqh33e1TT/99AIE4ZqG9q5CxQX76b31t3GMZBJoubwry85DIirqQstSZLZznHJUGUC+nW7OrGxvcCVvng9fnYFlQkNq58+Kk5QBp51Xt8lqVM/AKonU8QFUoCaNft1x1mK1b7x5vNJ/rmW2ktQmjGMylVhvoDi7awSA8k1+Zqt0rMorXWnPenxs+cqy9pynhBflqkYS0HEu9CsoEPl04bitbarPhf/WkP95Du5hWKS9L3UxFGS25aDXiUG8t4lZuDGAHi0juNQM+Xjo2xT7kL8H2pN5ta59tqB5Il3U0i2eGIafoPe35/9c2LdFXgkDvFFfuiXrvSvJ7TDBBKaKVtsyM5NsbnoYsIJDUCTQNjDA8lh3DOnkVLcODSKrmG/98zd9oN7kKk8bBJapbsAuHe0cMP70o60UWTubPc14VFogKZdJVwASrDB2jei0jV4+Q7Xn+86Ug3KdYqvInZ33W1ONK0LfeilkMea5Gi/BGcauXUt19lX/hV+kulmYnVvHeJJL7f/5GgWrTz4u89gjvUP4iY/DdbXOx6LM6eLmbT7jVQip+TFMy/FiNybolAR0UfbaSRHGYS6lDqdLMNkRuXQKKs1fDPRBmFZ+jGKF7/4I1LQkotACEOOKNcSEtDqiTdWL4v7tsHHLr/GpNLJDfa8EDrxz2edBbK4BIxxp1ttLpbHU6KnONA+2Hd0cTo0wNYk/fw+Ydl0QU0EDxnJ49JQCxBzf7MALZkGkp9miAlBjfE69PhV+w719z2uHHgivbah0L0Za7M0dtq7wvVDEocPjyUB/g5qeyKdMc4rsjNNKw7FNPGu2pRVSRssoPQJMruDWlCR+NntgACp5ntadHjLifdorOC10JhxaaKVr/v9F2cMrtnWU+Z405mj9fMtW2A2KFDHPpCF3odPbsgQ==

Emails

azor2020@protonmail.ch

azor@rape.lol

azor2020@jxmpp.jp

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3184 bcdedit.exe
3020 bcdedit.exe

pid	process
3184	bcdedit.exe
3020	bcdedit.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.execmd.exe

description	pid	process	target process
PID 1356 wrote to memory of 1504	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	vssadmin.exe
PID 1356 wrote to memory of 1504	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	vssadmin.exe
PID 1356 wrote to memory of 2464	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 2464	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 2604	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 2604	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 2676	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 2676	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 3788	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 3788	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 1356 wrote to memory of 3788	1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe	cmd.exe
PID 3788 wrote to memory of 252	3788	cmd.exe	timeout.exe
PID 3788 wrote to memory of 252	3788	cmd.exe	timeout.exe
PID 3788 wrote to memory of 252	3788	cmd.exe	timeout.exe

GarrantyDecrypt
Ransomware family first detected in late 2018.
ransomware garrantydecrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Program Files directory 22537 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gl_16x11.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\da_get.svg	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-125_contrast-black.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\CamMDL2.ttf	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\pipres.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.129\Locales\pt-BR.pak	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-150.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF@3x.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_24x24x32.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-150.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-40.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\LightGray.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_uk.dll	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\81.0.4044.129\81.0.4044.129_chrome_installer.exe	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-180.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-200.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\LockScreenBadgeLogo.scale-200.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\it_60x42.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\mcxml\x-none\DCF.x-none.msi.16_mondoww.mcxml	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-20_altform-unplated.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareMainPage.xaml	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5664_24x24x32.png	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1816 vssvc.exe
Token: SeRestorePrivilege 1816 vssvc.exe
Token: SeAuditPrivilege 1816 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E35.tmp.jpg"	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

252 timeout.exe

pid	process
252	timeout.exe

Drops desktop.ini file(s) 33 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

pid	process
1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
1356	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops startup file 1 IoCs

Processes:

b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!read_me!.txt	b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1504 vssadmin.exe

pid	process
1504	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
"C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
PID:1356

C:\Windows\System32\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
PID:2464

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3020

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
2⤵
PID:2604

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3184

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
2⤵
PID:2676

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:3788