Analysis
-
max time kernel
157s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe
Resource
win10v20201028
General
-
Target
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe
-
Size
69KB
-
MD5
608ac26ea80c189ed8e0f62dd4fd8ada
-
SHA1
c5b3fa421db00fe931f439af5df4f65f7f3d9a1a
-
SHA256
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010
-
SHA512
57951e09485961814bf018b3a10b6ad2e68f76409bcfce509afb979eee3dc0010af891d0efa094c0510ff26b21812b2d9528cce2bbc362c9830ae00b1610c4ad
Malware Config
Extracted
C:\Users\Admin\Searches\13B76C-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\13B76C-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Documents\13B76C-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Desktop\13B76C-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\13B76C-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddBackup.tif => C:\Users\Admin\Pictures\AddBackup.tif.13b76c c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\ResizeSkip.crw => C:\Users\Admin\Pictures\ResizeSkip.crw.13b76c c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\DisableRequest.raw => C:\Users\Admin\Pictures\DisableRequest.raw.13b76c c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\ExitSkip.raw => C:\Users\Admin\Pictures\ExitSkip.raw.13b76c c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\SelectClose.tiff => C:\Users\Admin\Pictures\SelectClose.tiff.13b76c c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Users\Admin\Pictures\SelectClose.tiff c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File renamed C:\Users\Admin\Pictures\ConnectRename.raw => C:\Users\Admin\Pictures\ConnectRename.raw.13b76c c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 14459 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ba_16x11.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-100.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\ui-strings.js c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\ui-strings.js c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-200.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Light.scale-100.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_12s.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\daily_challenge.jpg c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-60.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\PreviewMailList.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\talking.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-unplated.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-150.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_32x32x32.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\LargeTile.scale-100.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_altform-unplated_contrast-black.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\MedTile.scale-125.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_40x40x32.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5666_24x24x32.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Officehub_Base_PriConfig.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Beihai_Common_Diagnostics.winmd c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12h.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\13B76C-Readme.txt c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.scale-100.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-100_contrast-white.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\shake.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\themes.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Glasses.png c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1504 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 46758 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exepid process 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe Token: SeImpersonatePrivilege 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe Token: SeBackupPrivilege 2092 vssvc.exe Token: SeRestorePrivilege 2092 vssvc.exe Token: SeAuditPrivilege 2092 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exedescription pid process target process PID 3892 wrote to memory of 1504 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe vssadmin.exe PID 3892 wrote to memory of 1504 3892 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe"C:\Users\Admin\AppData\Local\Temp\c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-0-0x0000000000000000-mapping.dmp