balaclava | 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

General

Target

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
Size

66KB
MD5

c9a3f59644226858255588cd5d3c6d56
SHA1

be1e18396b118b13cc2128ab7efbe11833dc4d53
SHA256

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a
SHA512

ba450f886ee9f24eed23298b8749dfa64ee4a48d70c89dcbaa3d10b6d3a9cd7bfdff377aae5f1a13ff9383e137be61eae6814c856df4325d108a2339a4683699

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : 2B97C0EC94560515F4286634C03FC6FDBA454A8804B615D46C85EDFA4708E124 8F2779E021590BEB23E17290C1F7F6AFEFBE625C33D6F74222A8A8C3C37FED16 B6FA0E0F1642C2EC471CE1410C03808B33E5494D8AB504E737826F2F7A47B18D 8E6B81FD5294302500DE5FEE21B6F4CDD65354B6979047F81254A47DE50194A3 D7997CBD5D932C29EA2BC1FEB46FC4C804F3FC5A77021319967B7D137BE996A1 110A9A43562EF7BFDFD2407E4100E68D01372A59ED9ECF9FF94E6009D817894C F6C09A0E40C6878664C7BC4801DD6DE76EB89FA90CD91CCEE7B7525F8E092FB4 47873D10545DC91D20FDB961AF9A109738CF69A7686A37852A28427F641543ED DE83AA7A0C0B9CBA5E4AE54F2212926EFD93E688146B2B11B6BD5E11F70BB144 93A6895D57C10590B0BF1D6A3B1DEDB797CB7F49CCB63E8F0C3C9C77CD643723 A5F21F0CD3E8685E0A26B89741686DB813B278B08D82391035C6A0BBB77613FC D641200EF5E39CF0EF5CA9EAA563D563B219A03DA6FF4579AEA3DEDB073329DE DE446C6C4D213E5BA0F74906E151D743639B764E1F49E3D0A7A20EE722FC27C2 EE5E7DC8F3A5171469395272F7A1735DEB5ED9C772E30F282ACD7F1B8BD1D34F D5C065E0D9C6B470217F43D988946738F3087D4910A74C2AC03A7295620A00EA 19946CC743EB5DCE5CC0009B00B486F862F0687BBC19AB145E933F7C3E8D826A CEB81FF1F9AB10AFEFA7393376B6618E9D46E2B7D6A54E7DBDDB788F8D4448DE A80522BC10324364DC9730D322C551E2A94516AB225E2AF626938CFD8400914D CAB0166C8A75A95B185233F26E9F15E3A7B456EEEB9BF263B057D4BD255CEEE2 C841D5EDB472A160988ED333234B33F08E763553851F5CF0DDDA25F1EBC6DF54 C617FC5D97ED2710EC038C32DA0E8CC06F4626955254790F00C3ED75D5AE22C4 026A439955467F4DD83B610AF0845FA6989C47340FEF53CA39055C8E6D588460 9FBB6A0C59BBA30562324CEBE1103A553F470C97961C02DA202057DD49B25E1E CF176701C9488828D156F0170A7DE6DE6031ED1E0C5E4759B9A83396AD579EB1 E2962EC09C0A267B7EF6C9F86A6A0B5B0542B9F1B67B3C7891BA1C177DF77F73 0FFF2A52EAB5C101BD

Emails

daves.smith@aol.com

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3368 created 652 3368 WerFault.exe 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

description	pid	process	target process
PID 3368 created 652	3368	WerFault.exe	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\FindAssert.tiff	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRequest.tiff	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

description ioc process

File opened (read-only) \??\A: 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

description	ioc	process
File opened (read-only)	\??\A:	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Drops file in Program Files directory 64 IoCs

Processes:

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\1d.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\so_16x11.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-200.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\id_16x11.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\coffee.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\az_16x11.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_24x24x32.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-white.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\evilgrin.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96_altform-unplated.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargeKlondikeTile.jpg	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-200_contrast-white.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-fullcolor.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_40x40x32.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Hold.m4a	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\selector.js	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-125.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_background.jpg	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_48x48x32.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3368 652 WerFault.exe 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

pid	pid_target	process	target process
3368	652	WerFault.exe	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe
3368	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3368 WerFault.exe
Token: SeBackupPrivilege 3368 WerFault.exe
Token: SeDebugPrivilege 3368 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3368	WerFault.exe
Token: SeBackupPrivilege	3368	WerFault.exe
Token: SeDebugPrivilege	3368	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
"C:\Users\Admin\AppData\Local\Temp\190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 1012
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini
MD5
f4b6bdca1be550ce29a39136eca50a35

SHA1
cbcf7c73086d32dacf38e77189172eb210c1f081

SHA256
eff6c0ceadba63308633636e7565ad0c7c6b6dc8e5f107fdcad48a6cc695c58e

SHA512
834fe61ec4907ffc94b428b283f9cacae2599b91ecf458ef95ff3035f26d877d679003e0254b321b8e37552466342f05b12461c3ce2a2b23d6157d145ed0cbb7

Download Submit
memory/3368-3-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads