Behavioral Report

General

Target

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Size

200KB
MD5

c2671bf5b5dedbfd3cfe3f0f944fbe01
SHA1

da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
SHA256

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
SHA512

256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

Score

10^/10

mountlocker persistence ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddRestart.raw => \??\c:\Users\Admin\Pictures\AddRestart.raw.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ConfirmRedo.tiff	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\ConfirmRedo.tiff => \??\c:\Users\Admin\Pictures\ConfirmRedo.tiff.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\DismountGrant.tif => \??\c:\Users\Admin\Pictures\DismountGrant.tif.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\JoinConvertTo.tif => \??\c:\Users\Admin\Pictures\JoinConvertTo.tif.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 8361 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\include\win32\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Windows Defender Advanced Threat Protection\en-US\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\StopTest.mpeg3	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Windows Multimedia Platform\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3840 vssadmin.exe

pid	process
3840	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\.EF9E23B4\shell	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\.EF9E23B4\shell\Open	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html"	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\.EF9E23B4\shell\Open\command	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exe

pid process

3572 powershell.exe
3572 powershell.exe
3572 powershell.exe
3572 powershell.exe
3572 powershell.exe
3572 powershell.exe

pid	process
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	pid	process
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeBackupPrivilege	3088	vssvc.exe
Token: SeRestorePrivilege	3088	vssvc.exe
Token: SeAuditPrivilege	3088	vssvc.exe
Token: SeTakeOwnershipPrivilege	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Token: SeRestorePrivilege	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

pid process

3336 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

pid	process
3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.execmd.exe

description	pid	process	target process
PID 3336 wrote to memory of 3572	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 3336 wrote to memory of 3572	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 3336 wrote to memory of 3572	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 3572 wrote to memory of 3840	3572	powershell.exe	vssadmin.exe
PID 3572 wrote to memory of 3840	3572	powershell.exe	vssadmin.exe
PID 3572 wrote to memory of 3840	3572	powershell.exe	vssadmin.exe
PID 3336 wrote to memory of 3968	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 3336 wrote to memory of 3968	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 3336 wrote to memory of 3968	3336	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 3968 wrote to memory of 3912	3968	cmd.exe	attrib.exe
PID 3968 wrote to memory of 3912	3968	cmd.exe	attrib.exe
PID 3968 wrote to memory of 3912	3968	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3912 attrib.exe

pid	process
3912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
"C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden -c $mypid='3336';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259291281.tmp')|iex
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
- Interacts with shadow copies
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F75973F.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
- Views/modifies file attributes
PID:3912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\0F75973F.bat
MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\~259291281.tmp
MD5
4e1a1e3e715c291c71950d2fdc79e2be

SHA1
dc2b3d20a9ec88e0d8d75c5097154687acc42983

SHA256
acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

SHA512
d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

Download Submit
memory/3336-2-0x0000000004300000-0x000000000430F000-memory.dmp

Filesize
60KB

Download
memory/3572-12-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/3572-4-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6MB

Download
memory/3572-7-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/3572-8-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3572-9-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/3572-10-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/3572-11-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/3572-5-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/3572-13-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/3572-6-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/3572-15-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/3572-16-0x0000000008B30000-0x0000000008B31000-memory.dmp

Filesize
4KB

Download
memory/3572-3-0x0000000000000000-mapping.dmp

Download
memory/3572-18-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/3572-19-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/3572-20-0x0000000009C30000-0x0000000009C31000-memory.dmp

Filesize
4KB

Download
memory/3840-17-0x0000000000000000-mapping.dmp

Download
memory/3912-23-0x0000000000000000-mapping.dmp

Download
memory/3968-21-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Downloads