9e863cdfd032ad861cf2c8ed6f18ba327b27eea7799635180d14472ef644990a

General

Target

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
Size

170KB
MD5

b0ee9dae7de7781ea809278c48c310a5
SHA1

28be65219441d78399027aa42c9cc7456ee67130
SHA256

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8
SHA512

5b954dd7bd05549d8f29b720db615b4e79cf07a41efab7ed765eb8533ad429c0d351e610900fbc6ee8f1dc5f2c8c10e53a494a4f9ec8ffd54444a8ab0c2bd8ff

Score

8^/10

persistence ransomware spyware

Malware Config

Signatures

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BlockSave.tiff	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File renamed	C:\Users\Admin\Pictures\BlockSave.tiff => C:\Users\Admin\Pictures\BlockSave.tiff..doc	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File renamed	C:\Users\Admin\Pictures\UseInstall.tif => C:\Users\Admin\Pictures\UseInstall.tif..doc	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe"	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Drops file in Program Files directory 4394 IoCs

Processes:

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Read___ME.html	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01154_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Module.eftx	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01157_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106124.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\Read___ME.html	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01167_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\Read___ME.html	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SOA.DLL	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00687_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107280.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_K_COL.HXK	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPDESIGN.DLL	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.XML	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

pid process

756 c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

pid	process
756	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe

C:\Users\Admin\AppData\Local\Temp\c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe
"C:\Users\Admin\AppData\Local\Temp\c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:756