226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.zip

General
Target

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Filesize

200KB

Completed

22-11-2020 00:19

Score
10/10
MD5

c2671bf5b5dedbfd3cfe3f0f944fbe01

SHA1

da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

SHA256

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

Malware Config
Signatures 14

Filter: none

Defense Evasion
Impact
Persistence
  • MountLocker Ransomware

    Description

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\DisconnectMeasure.tiff => \??\c:\Users\Admin\Pictures\DisconnectMeasure.tiff.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\ExportGroup.png => \??\c:\Users\Admin\Pictures\ExportGroup.png.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\FindAdd.png => \??\c:\Users\Admin\Pictures\FindAdd.png.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\FormatSend.crw => \??\c:\Users\Admin\Pictures\FormatSend.crw.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\OpenEnter.tif => \??\c:\Users\Admin\Pictures\OpenEnter.tif.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\WatchRename.png => \??\c:\Users\Admin\Pictures\WatchRename.png.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Pictures\DisconnectMeasure.tiff226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\EnterRequest.raw => \??\c:\Users\Admin\Pictures\EnterRequest.raw.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File renamedC:\Users\Admin\Pictures\RenameConnect.tif => \??\c:\Users\Admin\Pictures\RenameConnect.tif.ReadManual.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1692cmd.exe
  • Drops desktop.ini file(s)
    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\Users\Admin\Links\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Saved Games\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Music\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Contacts\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Favorites\Links\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Searches\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Music\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Videos\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Favorites\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Documents\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Music\Sample Music\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Desktop\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Downloads\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Desktop\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Libraries\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Documents\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Pictures\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Pictures\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Downloads\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Recorded TV\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Public\Videos\Sample Videos\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Users\Admin\Videos\desktop.ini226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
  • Modifies service
    vssvc.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
  • Drops file in Program Files directory
    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File created\??\c:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RecoveryManual.html226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File created\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\RecoveryManual.html226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File created\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\RecoveryManual.html226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.REST.IDX_DLL226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jre7\lib\flavormap.properties226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File created\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\RecoveryManual.html226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File created\??\c:\Program Files (x86)\Common Files\System\RecoveryManual.html226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files\Java\jre7\lib\zi\WET226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    File opened for modification\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    332vssadmin.exe
  • Modifies registry class
    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html"226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open\command226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1788powershell.exe
    1788powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exevssvc.exe226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1788powershell.exe
    Token: SeBackupPrivilege1016vssvc.exe
    Token: SeRestorePrivilege1016vssvc.exe
    Token: SeAuditPrivilege1016vssvc.exe
    Token: SeTakeOwnershipPrivilege1204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    Token: SeRestorePrivilege1204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
  • Suspicious use of SetWindowsHookEx
    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

    Reported IOCs

    pidprocess
    1204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
  • Suspicious use of WriteProcessMemory
    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1204 wrote to memory of 17881204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.exe
    PID 1204 wrote to memory of 17881204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.exe
    PID 1204 wrote to memory of 17881204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.exe
    PID 1204 wrote to memory of 17881204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.exe
    PID 1788 wrote to memory of 3321788powershell.exevssadmin.exe
    PID 1788 wrote to memory of 3321788powershell.exevssadmin.exe
    PID 1788 wrote to memory of 3321788powershell.exevssadmin.exe
    PID 1788 wrote to memory of 3321788powershell.exevssadmin.exe
    PID 1204 wrote to memory of 16921204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.execmd.exe
    PID 1204 wrote to memory of 16921204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.execmd.exe
    PID 1204 wrote to memory of 16921204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.execmd.exe
    PID 1204 wrote to memory of 16921204226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.execmd.exe
    PID 1692 wrote to memory of 3161692cmd.exeattrib.exe
    PID 1692 wrote to memory of 3161692cmd.exeattrib.exe
    PID 1692 wrote to memory of 3161692cmd.exeattrib.exe
    PID 1692 wrote to memory of 3161692cmd.exeattrib.exe
  • Views/modifies file attributes
    attrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    316attrib.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
    Modifies extensions of user files
    Drops desktop.ini file(s)
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='1204';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259271087.tmp')|iex
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
        Interacts with shadow copies
        PID:332
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F7568A2.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
        Views/modifies file attributes
        PID:316
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:1016
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\0F7568A2.bat

                      MD5

                      348cae913e496198548854f5ff2f6d1e

                      SHA1

                      a07655b9020205bd47084afd62a8bb22b48c0cdc

                      SHA256

                      c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

                      SHA512

                      799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\~259271087.tmp

                      MD5

                      4e1a1e3e715c291c71950d2fdc79e2be

                      SHA1

                      dc2b3d20a9ec88e0d8d75c5097154687acc42983

                      SHA256

                      acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

                      SHA512

                      d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

                      Download Submit

                    • memory/316-32-0x0000000000000000-mapping.dmp

                      Download

                    • memory/332-27-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1204-30-0x0000000003120000-0x0000000003124000-memory.dmp

                      Download

                    • memory/1204-29-0x0000000002610000-0x0000000002614000-memory.dmp

                      Download

                    • memory/1204-2-0x00000000025C0000-0x00000000025CF000-memory.dmp

                      Download

                    • memory/1692-28-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1788-8-0x0000000005260000-0x0000000005261000-memory.dmp

                      Download

                    • memory/1788-7-0x00000000025F0000-0x00000000025F1000-memory.dmp

                      Download

                    • memory/1788-18-0x0000000006210000-0x0000000006211000-memory.dmp

                      Download

                    • memory/1788-25-0x00000000062A0000-0x00000000062A1000-memory.dmp

                      Download

                    • memory/1788-26-0x0000000006590000-0x0000000006591000-memory.dmp

                      Download

                    • memory/1788-6-0x00000000047E0000-0x00000000047E1000-memory.dmp

                      Download

                    • memory/1788-12-0x0000000005620000-0x0000000005621000-memory.dmp

                      Download

                    • memory/1788-5-0x0000000002310000-0x0000000002311000-memory.dmp

                      Download

                    • memory/1788-4-0x0000000073E00000-0x00000000744EE000-memory.dmp

                      Download

                    • memory/1788-3-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1788-17-0x00000000056D0000-0x00000000056D1000-memory.dmp

                      Download