b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

Analysis

max time kernel
118s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Size

29KB
MD5

c6ec91aaa2bba2deb31fb645a2f9b9e4
SHA1

a921f8a827897250ebbc9847ea113f56dbb1c18d
SHA256

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0
SHA512

13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Score

10^/10

persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note

E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.

Emails

[email protected]

URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe"	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Drops file in System32 directory 2 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\license.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SysWOW64\locationnotificationsview.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Drops file in Program Files directory 994 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageStyle.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Drops file in Windows directory 319 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1040\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx40_IIS_schema_update.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1036\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Vss\Writers\System\D61D61C8-D73A-4EEE-8CDD-F6F9786B7124.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1045\LocalizedData.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallRoles.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DHtmlHeader.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallWebEventSqlProvider.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\UiInfo.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1031\LocalizedData.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallSqlStateTemplate.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreSchema.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallPersonalization.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Schema.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallRoles.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\default.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\PLA\Rules\Rules.System.Common.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\LocalizedData.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallRoles.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\LocalizedData.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1032\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1031\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlState.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Web\Wallpaper\Architecture\img13.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallWebEventSqlProvider.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\LocalizedData.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Media\chimes.wav	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1035\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\diagnostics\index\AeroDiagnostic.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home0.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1900 vssadmin.exe
2116 vssadmin.exe
2316 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
1900	vssadmin.exe
2116	vssadmin.exe
2316	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of AdjustPrivilegeToken 134 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exeWMIC.exevssvc.exeAUDIODG.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Token: 33	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Token: SeIncBasePriorityPrivilege	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: SeBackupPrivilege	556	vssvc.exe
Token: SeRestorePrivilege	556	vssvc.exe
Token: SeAuditPrivilege	556	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: 33	1120	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1120	AUDIODG.EXE
Token: 33	1120	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1120	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemProfilePrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeProfSingleProcessPrivilege	2136	WMIC.exe
Token: SeIncBasePriorityPrivilege	2136	WMIC.exe
Token: SeCreatePagefilePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe

Suspicious use of WriteProcessMemory 68 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 916	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 2044 wrote to memory of 916	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 2044 wrote to memory of 916	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 2044 wrote to memory of 916	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 2044 wrote to memory of 972	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 2044 wrote to memory of 972	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 2044 wrote to memory of 972	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 2044 wrote to memory of 972	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 2044 wrote to memory of 1464	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1464	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1464	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1464	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1548	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1548	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1548	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1548	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1192	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1192	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1192	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1192	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 1464 wrote to memory of 1900	1464	cmd.exe	vssadmin.exe
PID 1464 wrote to memory of 1900	1464	cmd.exe	vssadmin.exe
PID 1464 wrote to memory of 1900	1464	cmd.exe	vssadmin.exe
PID 1464 wrote to memory of 1900	1464	cmd.exe	vssadmin.exe
PID 1548 wrote to memory of 1612	1548	cmd.exe	WMIC.exe
PID 1548 wrote to memory of 1612	1548	cmd.exe	WMIC.exe
PID 1548 wrote to memory of 1612	1548	cmd.exe	WMIC.exe
PID 1548 wrote to memory of 1612	1548	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1448	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1448	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1448	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 1448	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2052	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2052	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2052	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2052	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2072	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2072	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2072	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2072	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 1448 wrote to memory of 2116	1448	cmd.exe	vssadmin.exe
PID 1448 wrote to memory of 2116	1448	cmd.exe	vssadmin.exe
PID 1448 wrote to memory of 2116	1448	cmd.exe	vssadmin.exe
PID 1448 wrote to memory of 2116	1448	cmd.exe	vssadmin.exe
PID 2052 wrote to memory of 2136	2052	cmd.exe	WMIC.exe
PID 2052 wrote to memory of 2136	2052	cmd.exe	WMIC.exe
PID 2052 wrote to memory of 2136	2052	cmd.exe	WMIC.exe
PID 2052 wrote to memory of 2136	2052	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 2232	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2232	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2232	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2232	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2244	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2244	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2244	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2244	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2264	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2264	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2264	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2044 wrote to memory of 2264	2044	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2232 wrote to memory of 2316	2232	cmd.exe	vssadmin.exe
PID 2232 wrote to memory of 2316	2232	cmd.exe	vssadmin.exe
PID 2232 wrote to memory of 2316	2232	cmd.exe	vssadmin.exe
PID 2232 wrote to memory of 2316	2232	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
"C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WRJC1WSO.vbs"
  2⤵
  PID:972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WRJC1WSO.vbs

MD5
07641762ad9c0d4b5983babccecb071b

SHA1
84afb077fccaa75f82338c30c5d03f4b67e39c62

SHA256
c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117

SHA512
4be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff

Download Submit
C:\Users\Admin\Desktop\READ_ME.hta

MD5
a076b2df780ea7d573ffd70ce0c603ea

SHA1
226531b08d9cdccf6de988172ed1e144b1d0be57

SHA256
6d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a

SHA512
aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd

Download Submit
memory/916-7-0x0000000000000000-mapping.dmp

Download
memory/972-15-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/972-9-0x0000000000000000-mapping.dmp

Download
memory/1192-13-0x0000000000000000-mapping.dmp

Download
memory/1448-18-0x0000000000000000-mapping.dmp

Download
memory/1464-10-0x0000000000000000-mapping.dmp

Download
memory/1548-11-0x0000000000000000-mapping.dmp

Download
memory/1612-16-0x0000000000000000-mapping.dmp

Download
memory/1656-17-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1900-14-0x0000000000000000-mapping.dmp

Download
memory/2044-3-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2044-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-6-0x0000000000D35000-0x0000000000D46000-memory.dmp

Filesize
68KB

Download
memory/2044-5-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2052-19-0x0000000000000000-mapping.dmp

Download
memory/2072-20-0x0000000000000000-mapping.dmp

Download
memory/2116-21-0x0000000000000000-mapping.dmp

Download
memory/2136-22-0x0000000000000000-mapping.dmp

Download
memory/2232-23-0x0000000000000000-mapping.dmp

Download
memory/2244-24-0x0000000000000000-mapping.dmp

Download
memory/2264-25-0x0000000000000000-mapping.dmp

Download
memory/2316-26-0x0000000000000000-mapping.dmp

Download
memory/2324-27-0x0000000000000000-mapping.dmp

Download