balaclava | 5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

Analysis

max time kernel
119s
max time network
128s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
Size

66KB
MD5

2046d5509a677e9af42a5b6533302d60
SHA1

a37f2520658ab6b9030a6aced46b4fa4ba260e95
SHA256

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8
SHA512

2f168939c72906922b46b0dd82b060dcce5d24827ecac697b0e6f6a74b145a2cc081afb65c9bdceae8487ddfaa5dcbe1f14e09ecc29d32eb3a28899d90ba297b

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - [email protected] YOUR PERSONAL ID : 374D35FEEDD762101BB05932CD5D89F4CF82C9E8B5042AD8D602080E447627FB 04BE371C57DC9FB89E2CE1140C43545763DF0A14C5B6BF4E7D9C9D64661CB4A3 117FAD628BA7A3D9235EC69082FFF436E2CCE8159F6E16C3B396A91ED78EEE47 098CDB1E3D286E206616B2686A7FCCABB01917F41A3D747CEB838A2866B6BAAF C50CE7077F6140F5229949C368D5084E69DB038D208C0ABDC8E72CEA0A6FECCA 9A966278335D87F40270083C0F4401B8129AF3BA263D979597A3735561F870EC 2A66EA3E86B125E889E5C43FE9E5E3372A3F3271AEF5E83CE8503811DE1290EE E761B0B8A8B692582F6DF7A9C038F816040ED3F261E009EFF7F9703661D96DF9 04E1A6FB3C130D769A47FD954647DBA610B5926A2BEA4D69C0DB90E57EDD4F67 55041A50891D752A080ECD9A658CA2CF1372FA6BAEAEC01622CE39BC792A5E3B A12EA1EA866EF86C8C56172A7AA9858F46ADE5ED2EC0FCDDB7F36D6625B0BBCF 36D42447061DA7ACE96F975979144BE7CA9707FAE5FB418992CB2D2218ECFD02 A0B2F365C5A5E192F28854110269E1E04FAEB6D6C422173975D684044333CE05 4D62AE652521C22370EFCD15240CD7C446F4A87AF26BDE58C15D548C5CFC0C04 893AC3ED1812B1D261D15FFC99DB8E93CC911331943E3A5219A24CE960412A96 5A934CCAF873122270D9E2166A399705540FBDD27502D30E2509E865B9C9C72E 73933EC413DC9E63720EF04CBEA40D6879F1B7D78304D8597AAE570245172B40 5F5C1780A2A5F8077CC5EA7D8DCE69665ACB8B2E618BA3D34655162BD365D680 C3DEEE3FEF0AA3FA191CBBB2A8377430D12BC98855357CBCC486B9829D2B7F3A 1387C062EC6F4BEB86292DF84DBBD2E6741D8CEB533333DC3A928CEE2273FE63 08D362B0DC4314A396D1E97A51BFB10860DAA0FD9795046C8B6505AD0BEBB81C 637D015CB3CD535BE5183D747E1502B9F0722304B843FBFA5131F865DC2E63F9 7916E9236C4FB955CC03DADD57D8390308E81B346737BA5905ADD2690EB0F711 6CB6C3E5BADA15A691D9D12F4AFAF3B5953D29C33132E57746074750A74D72A0 6F89FB3B0B450A7CA4D47405B6A66AA89927377C7450C4DEEA3999F36B35E023 6915549698DD9D01E1

Emails

[email protected]

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1404 created 728	1404	WerFault.exe	67

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertExport.png => C:\Users\Admin\Pictures\ConvertExport.png.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\NewRequest.raw => C:\Users\Admin\Pictures\NewRequest.raw.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\OptimizeClear.tif => C:\Users\Admin\Pictures\OptimizeClear.tif.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\RemoveDismount.raw => C:\Users\Admin\Pictures\RemoveDismount.raw.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_48x48x32.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-200.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-200_contrast-black.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-200.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-125.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\ui-strings.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\160.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tn_16x11.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-100.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-100.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page3.jpg	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\rofl.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_torus.3mf	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cf_60x42.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.scale-100.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_40x40x32.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\bartlett.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-125.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_altform-unplated_contrast-black.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-150.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\8-Point Star.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-200.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\msasxpress.dll	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-125.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\DashboardDefaultThumbnail.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SplashScreen.scale-200.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-125.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8498_32x32x32.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-20.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1404	728	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1404	WerFault.exe
Token: SeBackupPrivilege	1404	WerFault.exe
Token: SeDebugPrivilege	1404	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
"C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 656
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-3-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download