Analysis
-
max time kernel
84s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-11-2020 00:17
Static task
static1
Behavioral task
behavioral1
Sample
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Resource
win10v20201028
General
-
Target
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
-
Size
200KB
-
MD5
c2671bf5b5dedbfd3cfe3f0f944fbe01
-
SHA1
da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
-
SHA256
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
-
SHA512
256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisconnectMeasure.tiff => \??\c:\Users\Admin\Pictures\DisconnectMeasure.tiff.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\ExportGroup.png => \??\c:\Users\Admin\Pictures\ExportGroup.png.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\FindAdd.png => \??\c:\Users\Admin\Pictures\FindAdd.png.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\FormatSend.crw => \??\c:\Users\Admin\Pictures\FormatSend.crw.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\OpenEnter.tif => \??\c:\Users\Admin\Pictures\OpenEnter.tif.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\WatchRename.png => \??\c:\Users\Admin\Pictures\WatchRename.png.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Pictures\DisconnectMeasure.tiff 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\EnterRequest.raw => \??\c:\Users\Admin\Pictures\EnterRequest.raw.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File renamed C:\Users\Admin\Pictures\RenameConnect.tif => \??\c:\Users\Admin\Pictures\RenameConnect.tif.ReadManual.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1692 cmd.exe -
Drops desktop.ini file(s) 29 IoCs
Processes:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exedescription ioc process File opened for modification \??\c:\Users\Admin\Links\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 9149 IoCs
Processes:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exedescription ioc process File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RecoveryManual.html 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File created \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\RecoveryManual.html 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\RecoveryManual.html 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.REST.IDX_DLL 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\flavormap.properties 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\RecoveryManual.html 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File created \??\c:\Program Files (x86)\Common Files\System\RecoveryManual.html 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\WET 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 332 vssadmin.exe -
Modifies registry class 5 IoCs
Processes:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html" 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open\command 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1788 powershell.exe 1788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exe226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exedescription pid process Token: SeDebugPrivilege 1788 powershell.exe Token: SeBackupPrivilege 1016 vssvc.exe Token: SeRestorePrivilege 1016 vssvc.exe Token: SeAuditPrivilege 1016 vssvc.exe Token: SeTakeOwnershipPrivilege 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe Token: SeRestorePrivilege 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepid process 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.execmd.exedescription pid process target process PID 1204 wrote to memory of 1788 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe powershell.exe PID 1204 wrote to memory of 1788 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe powershell.exe PID 1204 wrote to memory of 1788 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe powershell.exe PID 1204 wrote to memory of 1788 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe powershell.exe PID 1788 wrote to memory of 332 1788 powershell.exe vssadmin.exe PID 1788 wrote to memory of 332 1788 powershell.exe vssadmin.exe PID 1788 wrote to memory of 332 1788 powershell.exe vssadmin.exe PID 1788 wrote to memory of 332 1788 powershell.exe vssadmin.exe PID 1204 wrote to memory of 1692 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe cmd.exe PID 1204 wrote to memory of 1692 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe cmd.exe PID 1204 wrote to memory of 1692 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe cmd.exe PID 1204 wrote to memory of 1692 1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe cmd.exe PID 1692 wrote to memory of 316 1692 cmd.exe attrib.exe PID 1692 wrote to memory of 316 1692 cmd.exe attrib.exe PID 1692 wrote to memory of 316 1692 cmd.exe attrib.exe PID 1692 wrote to memory of 316 1692 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden -c $mypid='1204';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259271087.tmp')|iex2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:332 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F7568A2.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"3⤵
- Views/modifies file attributes
PID:316
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
MD5
4e1a1e3e715c291c71950d2fdc79e2be
SHA1dc2b3d20a9ec88e0d8d75c5097154687acc42983
SHA256acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39
SHA512d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80