balaclava | 5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

Analysis

max time kernel
89s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
Size

65KB
MD5

7ed4882c2a0d24c401cbce7536ddf792
SHA1

0f75ecdf6fbf37a186b3e9c79e0f8372c0c12ea0
SHA256

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319
SHA512

8661260130a82ea2a11db641c28cfb7d4d69c9867bdc00c1980ce1733da37ee90253959401022e5dd603410a3957cb236b9d9f2babab62b18421addb2abd8903

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - [email protected] YOUR PERSONAL ID : 466094BF5AF35199E6CE787A0899D394BA9FC92C22EC55C19966ECA74F056625 3A91A5A068E690903F26741E8469F9FC666591BB9A09D46614108C8F68E990CC 357EB056844A1269A2E46733216415C2BDF3BB762CA0720D1309F42943FF6B9C 87DF5492C2A901A668A7561B0D73A47B1B8E48EE494B2A869D1140C4CCB291F5 AA915E1084E0CEB1F256E90C7FD2D6F1400B1A5767B895B8236017513A72FC3C 8E3D5C2DC2DF2FDDC30B9153B595F8525375F3D3A286A48DF5A6A762A66E55D2 1838ED11E1BDB54A315C36CD28D27DCF9C8A2F62B6885E832A2BAB29CF7C59D8 D0941747536D5644D29EA335CB5362633DB4968BA91B276822646A977F5971B1 92CB76DE4B7472B57DC79A5B3F4586F56C58798C91CD80393FAFC575A73BEF2E 3D79A07048A97063ECC45556028DFBDE0FA5F513D4D236282AA0BE2D8B011760 9C6EAF64AC61F85CB294233BA64B85B08BC3C3DBBC9700B007809ACFC4A08C7D 41E2007357A46D4E03686052D3E4C95E626B00FE0CB96523F61E71CBA713C6DA C726B130C3C557A6845B79DEFE6F77861697AB768387028ED9C90B3B8A42FE99 3A7C3E7AA55357F46FC8C07F493E1DA0BFE4CCAE41F4801BA921B0A3D518072C 83D7DA19B7B9786B67542AEF75A18CE5D3FA37E7976997D0E9B179E5B3B130AF F98BE28C1CCC458408A9478394286A0FD37C66481265E1A81584C047D3CB8D3C 89EB54B8D8ABDDE979BD91EA3083588A9532864A59547467400B8C6AF5703D7E 9C3409377C3440BA1B1E323D37C6CA411F814E142D9CD3F4E976F745EA68A605 9F4EAFF6CD35DDF557DD3070C681014C4B9E6ACD0C852BEF0BB7960131BEC4F9 005D317BE5702DE89BA78B5990142D20700188D200292A87A788392EDC03E55D 3D654E44BC516256E2CFD60F08C63C7EBCC13C8B00BABE69034A567F0F381F59 B55032F550EA328A66AB8450DBA583D08ABD4726DE8894A50436949455F2AD52 3F83AAA609112067841EB9A38A3AD71FD6EE3E9F389A52675E3E424444381BDE 9B5D3F3D3CC25CDE4FD6955514C8EBBECD5F17629D6E9E6113397D618B65E4DA A21F79DA61EEB4025E5D17049E3DB05C6429C161AE63132EDBAAFF2582552F5A 0503411A79DE6C01CB

Emails

[email protected]

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1936 created 496	1936	WerFault.exe	67
PID 1920 created 496	1920	WerFault.exe	67

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\TraceImport.png => C:\Users\Admin\Pictures\TraceImport.png.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveRedo.tiff	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\ApproveRedo.tiff => C:\Users\Admin\Pictures\ApproveRedo.tiff.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\OutDismount.crw => C:\Users\Admin\Pictures\OutDismount.crw.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\SwitchCompare.tif => C:\Users\Admin\Pictures\SwitchCompare.tif.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_1h.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\sweating.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxManifest.xml	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-20_altform-unplated.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.scale-100.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Rotate.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sm_60x42.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-100_contrast-white.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-72_altform-unplated.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\index.html	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-150.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Explosion.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\ui-strings.js	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.Vui.winmd	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforsignature.svg	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Solid.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\sheep.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\traintrackleftturn.3mf	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-100.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_tw_135x40.svg	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\PopUp\Pop_up_Warning.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1920	496	WerFault.exe	67
1936	496	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1936	WerFault.exe
Token: SeBackupPrivilege	1936	WerFault.exe
Token: SeDebugPrivilege	1936	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
"C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 932
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 916
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-4-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1936-3-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download