be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde

Analysis

max time kernel
112s
max time network
144s
platform
windows7_x64
resource
win7v20201028
submitted
24-12-2020 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
Size

425KB
MD5

c486aedae4bb88c1bd5064f12df7e188
SHA1

9880e8a0655cf1d0dad855703b85e1bb9bd4db82
SHA256

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde
SHA512

fbcccfbc92782740ad542038b2ae3b0d6926d87deeaed6f25dbcf1db4bc00a36af1fe8e74a642fd6a40ee625199b210fad119afbc2a5b7c87c96f603343b2f16

Score

8^/10

ransomware spyware

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SetConvertFrom.raw => C:\Users\Admin\Pictures\SetConvertFrom.raw.7F09C1E8BA5162798BEE61DDE2FC86E3F48FE3B9DDF49B3B77C15A14799D081D	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WaitFind.tif => C:\Users\Admin\Pictures\WaitFind.tif.1F88F70016AF0B151EF9E3994BEF2493A41853CFAFD8455008942DD19F475F19	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.4ABBE7247EABE418C58D43E5E1B5072CEFB40596FC23870B00F8F1C6ABA1410F	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PushMount.crw => C:\Users\Admin\Pictures\PushMount.crw.A35D714593C4DE8F8B1ECE11B588EF5F77E25997F78C35A97C1A1DADA573EB40	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CompressStop.tif => C:\Users\Admin\Pictures\CompressStop.tif.FA3DBC73B10045E7CF6312F5945F15F2BBB1AFE182BA72316F170EAC6DB0432F	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStop.tiff	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RemoveStop.tiff => C:\Users\Admin\Pictures\RemoveStop.tiff.B8FA245BDBA1B1AC3C8A49F55902E22F600B0A3CE7A71EC66A287CAC956FA80E	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UninstallReceive.raw => C:\Users\Admin\Pictures\UninstallReceive.raw.5711915AD34B8DC436F0E90AB8C931B3FC95BC5062A464393FFD3B745E53C67E	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\BackupInvoke.tiff	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\BackupInvoke.tiff => C:\Users\Admin\Pictures\BackupInvoke.tiff.2B9E054B027503D123C3783A53F2874DA30359B2D440744B7F763F2A19CEF13B	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\V:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\M:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\R:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\E:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Y:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\U:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\F:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\J:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\L:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Z:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\W:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\O:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\P:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\S:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\G:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\N:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\T:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\I:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\H:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\X:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\B:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Q:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000084343c834f27900e27ef9005bba052321ad5b4810cdcf86b6e052a9714f1e675000000000e80000000020000200000007f491ae892ef418cf40eee9fc12197c583a40f9f014863769ca766a26e4996b190000000549c0bfa9f051c1f89f7bd565396284bfac8fecc8b9005c554ceeb4f7845a8d47b4f79bda539716523ca7a26e24453d3ac40c78043cba02ba6bf189e317915929a636c96601ccdba672f311b2477e1cbe378ed81f5435b7265587f0d9659d2b7d4ed9b7b4b10817590cfcbcb846c64ae12189b22d8df06b0a51f18cd1a82fea6b2d361e0cc19639ccebe189d0afc1f7640000000104607b5e4ebd7519950570ccb3b3e9d6b6e382db18005892a4cdfedddfab96320f7a9056f02909579b53ac843cc1a72dba3b14db41630fe33fbcfb63276698b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000000093bbd1d983b48eda401720beab5d7da18242e46daff7226ad9478a05b0a706000000000e8000000002000020000000936954e0f2bd9d44ec2eab4eb081b6d4d8ce7cf21fe9f270bcf7636901ddaa7c20000000ccfd8c82e0848d083a159ee167c42baf3cb1cc512199092652f0e2edaaeed08240000000d49d68ce71071e01a855033235cd2cb9340a3e694ce81a1ad86d762ae16c42d89267ab88ad76c122a4cd657c124ef29cac62d659ab47c4b345420430cbeee42d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05bb8e8e6d9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "315573845"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F7A08D1-45DA-11EB-BA33-6280D915632E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1900	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1900	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1900	iexplore.exe
1900	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1900	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 204	1900	iexplore.exe	35
PID 1900 wrote to memory of 204	1900	iexplore.exe	35
PID 1900 wrote to memory of 204	1900	iexplore.exe	35
PID 1900 wrote to memory of 204	1900	iexplore.exe	35
PID 1900 wrote to memory of 1760	1900	iexplore.exe	36
PID 1900 wrote to memory of 1760	1900	iexplore.exe	36
PID 1900 wrote to memory of 1760	1900	iexplore.exe	36
PID 1900 wrote to memory of 1760	1900	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
PID:1068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275466 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1760