e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin

General
Target

e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

Filesize

532KB

Completed

21-11-2020 15:15

Score
10 /10
MD5

76f547c793b5478b970c64caf04d01d4

SHA1

f9eb40f6d3d4c83852e3781886db762bef8564e0

SHA256

e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

Malware Config
Signatures 14

Filter: none

Defense Evasion
Impact
Persistence
  • MountLocker Ransomware

    Description

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\WaitFind.tif => \??\c:\Users\Admin\Pictures\WaitFind.tif.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\AddUnlock.tif => \??\c:\Users\Admin\Pictures\AddUnlock.tif.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Pictures\RemoveStop.tiffe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\RemoveStop.tiff => \??\c:\Users\Admin\Pictures\RemoveStop.tiff.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\SetConvertFrom.raw => \??\c:\Users\Admin\Pictures\SetConvertFrom.raw.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\UninstallReceive.raw => \??\c:\Users\Admin\Pictures\UninstallReceive.raw.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Pictures\BackupInvoke.tiffe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\BackupInvoke.tiff => \??\c:\Users\Admin\Pictures\BackupInvoke.tiff.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\CompressStop.tif => \??\c:\Users\Admin\Pictures\CompressStop.tif.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File renamedC:\Users\Admin\Pictures\PushMount.crw => \??\c:\Users\Admin\Pictures\PushMount.crw.ReadManual.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1652cmd.exe
  • Drops desktop.ini file(s)
    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INIe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Libraries\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Recorded TV\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Music\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Desktop\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Recorded TV\Sample Media\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Links\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Pictures\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Music\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Desktop\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Favorites\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Favorites\Links\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Music\Sample Music\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Pictures\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Videos\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Videos\Sample Videos\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Contacts\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Documents\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Searches\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Documents\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Favorites\Links for United States\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Videos\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Downloads\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Admin\Saved Games\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Downloads\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Users\Public\Pictures\Sample Pictures\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
  • Modifies service
    vssvc.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
  • Drops file in Program Files directory
    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gife7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.jse7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPGe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00116_.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XMLe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.jse7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\7-Zip\Lang\tr.txte7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHMe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.htmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105232.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knoxe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File created\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\RecoveryManual.htmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\desktop.inie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jre7\lib\zi\Australia\Adelaidee7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00172_.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPGe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdte7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmpe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POCe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.moe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD11.POCe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jre7\lib\zi\Europe\Luxembourge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXSe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTIRM.XMLe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158477.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURS.ICOe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPGe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuchinge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jre7\lib\zi\Australia\Brisbanee7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04174_.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00783_.WMFe7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File created\??\c:\Program Files (x86)\Mozilla Maintenance Service\logs\RecoveryManual.htmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.pnge7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File created\??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\RecoveryManual.htmle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisie7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jare7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1120vssadmin.exe
  • Modifies registry class
    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\.5A595725\shell\Open\commande7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\.5A595725e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\.5A595725\shelle7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\.5A595725\shell\Opene7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\.5A595725\shell\Open\command\ = "explorer.exe RecoveryManual.html"e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1680powershell.exe
    1680powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exevssvc.exee7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1680powershell.exe
    Token: SeBackupPrivilege952vssvc.exe
    Token: SeRestorePrivilege952vssvc.exe
    Token: SeAuditPrivilege952vssvc.exe
    Token: SeTakeOwnershipPrivilege1664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    Token: SeRestorePrivilege1664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
  • Suspicious use of SetWindowsHookEx
    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

    Reported IOCs

    pidprocess
    1664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
  • Suspicious use of WriteProcessMemory
    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exepowershell.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1664 wrote to memory of 11681664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exesplwow64.exe
    PID 1664 wrote to memory of 11681664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exesplwow64.exe
    PID 1664 wrote to memory of 11681664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exesplwow64.exe
    PID 1664 wrote to memory of 11681664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exesplwow64.exe
    PID 1664 wrote to memory of 16801664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exepowershell.exe
    PID 1664 wrote to memory of 16801664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exepowershell.exe
    PID 1664 wrote to memory of 16801664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exepowershell.exe
    PID 1664 wrote to memory of 16801664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exepowershell.exe
    PID 1680 wrote to memory of 11201680powershell.exevssadmin.exe
    PID 1680 wrote to memory of 11201680powershell.exevssadmin.exe
    PID 1680 wrote to memory of 11201680powershell.exevssadmin.exe
    PID 1680 wrote to memory of 11201680powershell.exevssadmin.exe
    PID 1664 wrote to memory of 16521664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.execmd.exe
    PID 1664 wrote to memory of 16521664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.execmd.exe
    PID 1664 wrote to memory of 16521664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.execmd.exe
    PID 1664 wrote to memory of 16521664e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.execmd.exe
    PID 1652 wrote to memory of 11201652cmd.exeattrib.exe
    PID 1652 wrote to memory of 11201652cmd.exeattrib.exe
    PID 1652 wrote to memory of 11201652cmd.exeattrib.exe
    PID 1652 wrote to memory of 11201652cmd.exeattrib.exe
  • Views/modifies file attributes
    attrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1120attrib.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
    Modifies extensions of user files
    Drops desktop.ini file(s)
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:1168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='1664';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259281134.tmp')|iex
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
        Interacts with shadow copies
        PID:1120
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F75EACC.bat" "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe""
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
        Views/modifies file attributes
        PID:1120
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:952
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\0F75EACC.bat

                      MD5

                      348cae913e496198548854f5ff2f6d1e

                      SHA1

                      a07655b9020205bd47084afd62a8bb22b48c0cdc

                      SHA256

                      c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

                      SHA512

                      799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\~259281134.tmp

                      MD5

                      4e1a1e3e715c291c71950d2fdc79e2be

                      SHA1

                      dc2b3d20a9ec88e0d8d75c5097154687acc42983

                      SHA256

                      acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

                      SHA512

                      d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

                      Download Submit

                    • memory/1120-28-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1120-33-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1168-2-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1652-29-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1664-3-0x00000000003E0000-0x00000000003EF000-memory.dmp

                      Download

                    • memory/1664-31-0x0000000002790000-0x0000000002794000-memory.dmp

                      Download

                    • memory/1664-30-0x00000000002C0000-0x00000000002C4000-memory.dmp

                      Download

                    • memory/1680-7-0x0000000004830000-0x0000000004831000-memory.dmp

                      Download

                    • memory/1680-5-0x0000000073A30000-0x000000007411E000-memory.dmp

                      Download

                    • memory/1680-19-0x0000000006250000-0x0000000006251000-memory.dmp

                      Download

                    • memory/1680-26-0x00000000062E0000-0x00000000062E1000-memory.dmp

                      Download

                    • memory/1680-27-0x0000000006300000-0x0000000006301000-memory.dmp

                      Download

                    • memory/1680-4-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1680-13-0x0000000005620000-0x0000000005621000-memory.dmp

                      Download

                    • memory/1680-6-0x0000000000D20000-0x0000000000D21000-memory.dmp

                      Download

                    • memory/1680-9-0x0000000005320000-0x0000000005321000-memory.dmp

                      Download

                    • memory/1680-8-0x0000000002580000-0x0000000002581000-memory.dmp

                      Download

                    • memory/1680-18-0x00000000056D0000-0x00000000056D1000-memory.dmp

                      Download