Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 22:20
Static task
static1
Behavioral task
behavioral1
Sample
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
Resource
win10v20201028
General
-
Target
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
-
Size
29KB
-
MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4
-
SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d
-
SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0
-
SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019
Malware Config
Extracted
C:\Users\Admin\Desktop\READ_ME.hta
https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe" b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe -
Drops file in System32 directory 2 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\license.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Windows\SysWOW64\locationnotificationsview.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe -
Drops file in Program Files directory 994 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Earthy.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogo.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Program Files (x86)\Common Files\Services\verisign.bmp b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe -
Drops file in Windows directory 319 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\LocalizedData.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Windows\servicing\Sessions\30846299_4142642496.back.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\LocalizedData.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Schema.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallRoles.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1037\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\LocalizedData.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Vss\Writers\System\75DFB225-E2E4-4d39-9AC9-FFAFF65DDF06.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallPersistSqlState.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1043\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp1.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallPersonalization.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ThirdPartyNotices.txt b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1045\LocalizedData.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Windows\Fonts\fms_metadata.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallCommon.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallMembership.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallWebEventSqlProvider.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallRoles.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceProviderSchema.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\DropSqlPersistenceProviderLogic.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Panther\diagwrn.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Vss\Writers\System\D61D61C8-D73A-4EEE-8CDD-F6F9786B7124.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallWebEventSqlProvider.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File created C:\Windows\winsxs\reboot.xml b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreSchema.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\eula.rtf b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2108 vssadmin.exe 2288 vssadmin.exe 2012 vssadmin.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 134 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exeWMIC.exevssvc.exeAUDIODG.EXEWMIC.exedescription pid process Token: SeDebugPrivilege 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe Token: 33 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe Token: SeIncBasePriorityPrivilege 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: SeBackupPrivilege 1932 vssvc.exe Token: SeRestorePrivilege 1932 vssvc.exe Token: SeAuditPrivilege 1932 vssvc.exe Token: SeIncreaseQuotaPrivilege 1404 WMIC.exe Token: SeSecurityPrivilege 1404 WMIC.exe Token: SeTakeOwnershipPrivilege 1404 WMIC.exe Token: SeLoadDriverPrivilege 1404 WMIC.exe Token: SeSystemProfilePrivilege 1404 WMIC.exe Token: SeSystemtimePrivilege 1404 WMIC.exe Token: SeProfSingleProcessPrivilege 1404 WMIC.exe Token: SeIncBasePriorityPrivilege 1404 WMIC.exe Token: SeCreatePagefilePrivilege 1404 WMIC.exe Token: SeBackupPrivilege 1404 WMIC.exe Token: SeRestorePrivilege 1404 WMIC.exe Token: SeShutdownPrivilege 1404 WMIC.exe Token: SeDebugPrivilege 1404 WMIC.exe Token: SeSystemEnvironmentPrivilege 1404 WMIC.exe Token: SeRemoteShutdownPrivilege 1404 WMIC.exe Token: SeUndockPrivilege 1404 WMIC.exe Token: SeManageVolumePrivilege 1404 WMIC.exe Token: 33 1404 WMIC.exe Token: 34 1404 WMIC.exe Token: 35 1404 WMIC.exe Token: 33 1580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1580 AUDIODG.EXE Token: 33 1580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1580 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe Token: SeLoadDriverPrivilege 2124 WMIC.exe Token: SeSystemProfilePrivilege 2124 WMIC.exe Token: SeSystemtimePrivilege 2124 WMIC.exe Token: SeProfSingleProcessPrivilege 2124 WMIC.exe Token: SeIncBasePriorityPrivilege 2124 WMIC.exe Token: SeCreatePagefilePrivilege 2124 WMIC.exe Token: SeBackupPrivilege 2124 WMIC.exe Token: SeRestorePrivilege 2124 WMIC.exe Token: SeShutdownPrivilege 2124 WMIC.exe Token: SeDebugPrivilege 2124 WMIC.exe Token: SeSystemEnvironmentPrivilege 2124 WMIC.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2044 wrote to memory of 816 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe mshta.exe PID 2044 wrote to memory of 816 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe mshta.exe PID 2044 wrote to memory of 816 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe mshta.exe PID 2044 wrote to memory of 816 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe mshta.exe PID 2044 wrote to memory of 972 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe WScript.exe PID 2044 wrote to memory of 972 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe WScript.exe PID 2044 wrote to memory of 972 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe WScript.exe PID 2044 wrote to memory of 972 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe WScript.exe PID 2044 wrote to memory of 628 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 628 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 628 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 628 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1472 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1472 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1472 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1472 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1120 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1120 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1120 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1120 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 628 wrote to memory of 2012 628 cmd.exe vssadmin.exe PID 628 wrote to memory of 2012 628 cmd.exe vssadmin.exe PID 628 wrote to memory of 2012 628 cmd.exe vssadmin.exe PID 628 wrote to memory of 2012 628 cmd.exe vssadmin.exe PID 1472 wrote to memory of 1404 1472 cmd.exe WMIC.exe PID 1472 wrote to memory of 1404 1472 cmd.exe WMIC.exe PID 1472 wrote to memory of 1404 1472 cmd.exe WMIC.exe PID 1472 wrote to memory of 1404 1472 cmd.exe WMIC.exe PID 2044 wrote to memory of 1912 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1912 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1912 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 1912 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 908 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 908 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 908 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 908 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2068 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2068 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2068 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2068 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 1912 wrote to memory of 2108 1912 cmd.exe vssadmin.exe PID 1912 wrote to memory of 2108 1912 cmd.exe vssadmin.exe PID 1912 wrote to memory of 2108 1912 cmd.exe vssadmin.exe PID 1912 wrote to memory of 2108 1912 cmd.exe vssadmin.exe PID 908 wrote to memory of 2124 908 cmd.exe WMIC.exe PID 908 wrote to memory of 2124 908 cmd.exe WMIC.exe PID 908 wrote to memory of 2124 908 cmd.exe WMIC.exe PID 908 wrote to memory of 2124 908 cmd.exe WMIC.exe PID 2044 wrote to memory of 2192 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2192 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2192 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2192 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2204 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2204 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2204 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2204 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2224 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2224 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2224 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2044 wrote to memory of 2224 2044 b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe cmd.exe PID 2204 wrote to memory of 2296 2204 cmd.exe WMIC.exe PID 2204 wrote to memory of 2296 2204 cmd.exe WMIC.exe PID 2204 wrote to memory of 2296 2204 cmd.exe WMIC.exe PID 2204 wrote to memory of 2296 2204 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe"C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta"2⤵
- Modifies Internet Explorer settings
PID:816 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7SO8V6ET.vbs"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:1120
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet2⤵PID:2192
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:2224
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵PID:2296
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:268
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7SO8V6ET.vbsMD5
07641762ad9c0d4b5983babccecb071b
SHA184afb077fccaa75f82338c30c5d03f4b67e39c62
SHA256c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117
SHA5124be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff
-
C:\Users\Admin\Desktop\READ_ME.htaMD5
a076b2df780ea7d573ffd70ce0c603ea
SHA1226531b08d9cdccf6de988172ed1e144b1d0be57
SHA2566d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a
SHA512aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd
-
memory/628-10-0x0000000000000000-mapping.dmp
-
memory/816-7-0x0000000000000000-mapping.dmp
-
memory/908-19-0x0000000000000000-mapping.dmp
-
memory/972-9-0x0000000000000000-mapping.dmp
-
memory/972-14-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB
-
memory/1120-13-0x0000000000000000-mapping.dmp
-
memory/1404-16-0x0000000000000000-mapping.dmp
-
memory/1472-11-0x0000000000000000-mapping.dmp
-
memory/1720-17-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/1912-18-0x0000000000000000-mapping.dmp
-
memory/2012-15-0x0000000000000000-mapping.dmp
-
memory/2044-2-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2044-6-0x0000000001205000-0x0000000001216000-memory.dmpFilesize
68KB
-
memory/2044-5-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/2044-3-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/2068-20-0x0000000000000000-mapping.dmp
-
memory/2108-21-0x0000000000000000-mapping.dmp
-
memory/2124-22-0x0000000000000000-mapping.dmp
-
memory/2192-23-0x0000000000000000-mapping.dmp
-
memory/2204-24-0x0000000000000000-mapping.dmp
-
memory/2224-25-0x0000000000000000-mapping.dmp
-
memory/2288-27-0x0000000000000000-mapping.dmp
-
memory/2296-26-0x0000000000000000-mapping.dmp