b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

General

Target

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
Size

29KB
MD5

c6ec91aaa2bba2deb31fb645a2f9b9e4
SHA1

a921f8a827897250ebbc9847ea113f56dbb1c18d
SHA256

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0
SHA512

13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Score

10^/10

persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note

E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.

Emails

[email protected]

URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe"	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

Drops file in System32 directory 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description ioc process

File created C:\Windows\SysWOW64\@AudioToastIcon.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description	ioc	process
File created	C:\Windows\SysWOW64\@AudioToastIcon.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

Drops file in Program Files directory 1671 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot_2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

Drops file in Windows directory 386 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description	ioc	process
File created	C:\Windows\ImmersiveControlPanel\appxblockmap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Logic.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\Web\Wallpaper\Theme2\img10.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clientexclusionlist.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Advanced.Theme-Dark_Scale-100.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\appxblockmap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Vss\Writers\System\75DFB225-E2E4-4d39-9AC9-FFAFF65DDF06.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\Provisioning\categories.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clientexclusionlist.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallCommon.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\CortanaListenUIApp_cw5n1h2txyewy\appxblockmap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2684 vssadmin.exe
2940 vssadmin.exe
4092 vssadmin.exe

pid	process
2684	vssadmin.exe
2940	vssadmin.exe
4092	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe

Suspicious use of AdjustPrivilegeToken 138 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
Token: 33	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
Token: SeIncBasePriorityPrivilege	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe
Token: SeSecurityPrivilege	3136	WMIC.exe
Token: SeTakeOwnershipPrivilege	3136	WMIC.exe
Token: SeLoadDriverPrivilege	3136	WMIC.exe
Token: SeSystemProfilePrivilege	3136	WMIC.exe
Token: SeSystemtimePrivilege	3136	WMIC.exe
Token: SeProfSingleProcessPrivilege	3136	WMIC.exe
Token: SeIncBasePriorityPrivilege	3136	WMIC.exe
Token: SeCreatePagefilePrivilege	3136	WMIC.exe
Token: SeBackupPrivilege	3136	WMIC.exe
Token: SeRestorePrivilege	3136	WMIC.exe
Token: SeShutdownPrivilege	3136	WMIC.exe
Token: SeDebugPrivilege	3136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3136	WMIC.exe
Token: SeRemoteShutdownPrivilege	3136	WMIC.exe
Token: SeUndockPrivilege	3136	WMIC.exe
Token: SeManageVolumePrivilege	3136	WMIC.exe
Token: 33	3136	WMIC.exe
Token: 34	3136	WMIC.exe
Token: 35	3136	WMIC.exe
Token: 36	3136	WMIC.exe
Token: SeBackupPrivilege	2696	vssvc.exe
Token: SeRestorePrivilege	2696	vssvc.exe
Token: SeAuditPrivilege	2696	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe
Token: SeSecurityPrivilege	3136	WMIC.exe
Token: SeTakeOwnershipPrivilege	3136	WMIC.exe
Token: SeLoadDriverPrivilege	3136	WMIC.exe
Token: SeSystemProfilePrivilege	3136	WMIC.exe
Token: SeSystemtimePrivilege	3136	WMIC.exe
Token: SeProfSingleProcessPrivilege	3136	WMIC.exe
Token: SeIncBasePriorityPrivilege	3136	WMIC.exe
Token: SeCreatePagefilePrivilege	3136	WMIC.exe
Token: SeBackupPrivilege	3136	WMIC.exe
Token: SeRestorePrivilege	3136	WMIC.exe
Token: SeShutdownPrivilege	3136	WMIC.exe
Token: SeDebugPrivilege	3136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3136	WMIC.exe
Token: SeRemoteShutdownPrivilege	3136	WMIC.exe
Token: SeUndockPrivilege	3136	WMIC.exe
Token: SeManageVolumePrivilege	3136	WMIC.exe
Token: 33	3136	WMIC.exe
Token: 34	3136	WMIC.exe
Token: 35	3136	WMIC.exe
Token: 36	3136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 2444	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	mshta.exe
PID 4028 wrote to memory of 2444	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	mshta.exe
PID 4028 wrote to memory of 2444	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	mshta.exe
PID 4028 wrote to memory of 756	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	WScript.exe
PID 4028 wrote to memory of 756	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	WScript.exe
PID 4028 wrote to memory of 756	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	WScript.exe
PID 4028 wrote to memory of 1484	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 1484	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 1484	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3608	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3608	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3608	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 2276	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 2276	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 2276	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 1484 wrote to memory of 2684	1484	cmd.exe	vssadmin.exe
PID 1484 wrote to memory of 2684	1484	cmd.exe	vssadmin.exe
PID 1484 wrote to memory of 2684	1484	cmd.exe	vssadmin.exe
PID 3608 wrote to memory of 3136	3608	cmd.exe	WMIC.exe
PID 3608 wrote to memory of 3136	3608	cmd.exe	WMIC.exe
PID 3608 wrote to memory of 3136	3608	cmd.exe	WMIC.exe
PID 4028 wrote to memory of 4040	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 4040	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 4040	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3200	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3200	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3200	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3256	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3256	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3256	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4040 wrote to memory of 2940	4040	cmd.exe	vssadmin.exe
PID 4040 wrote to memory of 2940	4040	cmd.exe	vssadmin.exe
PID 4040 wrote to memory of 2940	4040	cmd.exe	vssadmin.exe
PID 3200 wrote to memory of 2244	3200	cmd.exe	WMIC.exe
PID 3200 wrote to memory of 2244	3200	cmd.exe	WMIC.exe
PID 3200 wrote to memory of 2244	3200	cmd.exe	WMIC.exe
PID 4028 wrote to memory of 3440	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3440	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3440	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3840	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3840	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 3840	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 4060	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 4060	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 4028 wrote to memory of 4060	4028	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe	cmd.exe
PID 3840 wrote to memory of 2356	3840	cmd.exe	WMIC.exe
PID 3840 wrote to memory of 2356	3840	cmd.exe	WMIC.exe
PID 3840 wrote to memory of 2356	3840	cmd.exe	WMIC.exe
PID 3440 wrote to memory of 4092	3440	cmd.exe	vssadmin.exe
PID 3440 wrote to memory of 4092	3440	cmd.exe	vssadmin.exe
PID 3440 wrote to memory of 4092	3440	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.bin.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D31MZGQF.vbs"
2⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ac
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D31MZGQF.vbs

MD5
07641762ad9c0d4b5983babccecb071b

SHA1
84afb077fccaa75f82338c30c5d03f4b67e39c62

SHA256
c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117

SHA512
4be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff

Download Submit
C:\Users\Admin\Desktop\READ_ME.hta

MD5
a076b2df780ea7d573ffd70ce0c603ea

SHA1
226531b08d9cdccf6de988172ed1e144b1d0be57

SHA256
6d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a

SHA512
aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd

Download Submit
memory/756-11-0x0000000000000000-mapping.dmp

Download
memory/1484-12-0x0000000000000000-mapping.dmp

Download
memory/2244-23-0x0000000000000000-mapping.dmp

Download
memory/2276-14-0x0000000000000000-mapping.dmp

Download
memory/2356-27-0x0000000000000000-mapping.dmp

Download
memory/2444-10-0x0000000000000000-mapping.dmp

Download
memory/2684-16-0x0000000000000000-mapping.dmp

Download
memory/2940-22-0x0000000000000000-mapping.dmp

Download
memory/3136-17-0x0000000000000000-mapping.dmp

Download
memory/3200-20-0x0000000000000000-mapping.dmp

Download
memory/3256-21-0x0000000000000000-mapping.dmp

Download
memory/3440-24-0x0000000000000000-mapping.dmp

Download
memory/3608-13-0x0000000000000000-mapping.dmp

Download
memory/3840-25-0x0000000000000000-mapping.dmp

Download
memory/4028-9-0x0000000005093000-0x0000000005095000-memory.dmp

Filesize
8KB

Download
memory/4028-8-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4028-7-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4028-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/4028-6-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/4028-5-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/4028-3-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4040-19-0x0000000000000000-mapping.dmp

Download
memory/4060-26-0x0000000000000000-mapping.dmp

Download
memory/4092-28-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads