wyvernlocker | c806bc2e5eabdaf5e0e34cf142a00e4b1caaf643340528f98311745347e61c1d

Analysis

max time kernel
119s
max time network
120s
platform
windows10_x64
resource
win10
submitted
27-07-2020 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
Size

15KB
MD5

1a9757fcdf21843b5029db6c5b83a83a
SHA1

177897a6a38ec00a6dbf1004342f6111962053b5
SHA256

c806bc2e5eabdaf5e0e34cf142a00e4b1caaf643340528f98311745347e61c1d
SHA512

9cde834f5349c1bd443da006510260f0fb9870c6781ed2ed4caa61e36a177b5436eba3af673cea09154bca3db82888a9efc62622185a364572f080d1a219a2da

Score

10^/10

ransomware wyvernlocker

Malware Config

Signatures

WyvernLocker
Ransomware first seen in July 2020.
ransomware wyvernlocker

Drops desktop.ini file(s) 3 IoCs

Processes:

1A9757FCDF21843B5029DB6C5B83A83A.bin.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe

Drops file in Program Files directory 16400 IoCs

Processes:

1A9757FCDF21843B5029DB6C5B83A83A.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-white.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\lv.pak	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-visual.jar	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square44x44Logo.scale-100.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-unplated.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-125.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Autumn.jpg	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericIntl-1.jpg	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\PlaylistMediumTile.scale-100.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg1.jpg	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Heart.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_SadMouth.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-150.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_CS-CZ.respack	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-125.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_40x40x32.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-150.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea23.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-16.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\GiveUp\GiveUp-over.mobile.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Popup\FUE4_Image.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-200.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.scale-200.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-200.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\platform_format.lua	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\ui-strings.js	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\Email.ot	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	1A9757FCDF21843B5029DB6C5B83A83A.bin.exe

C:\Users\Admin\AppData\Local\Temp\1A9757FCDF21843B5029DB6C5B83A83A.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1A9757FCDF21843B5029DB6C5B83A83A.bin.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2460

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads