5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63

General

Target

5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
Size

1.6MB
MD5

9dc69e7f75fb54fccc1443309d95b760
SHA1

5cafde7651e25d4cf234e861e9a0a50dab01a438
SHA256

5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63
SHA512

ce0ef629913999ca87f3a578241c71eed26900ffb38014815641ec6176e8aa07fc1cdff5e86d8d8041ae6063ddc8798a0a7ecd01a15a99f2ebcae08dbf956d7f

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\users\\admin\\BAD_GOPHER.jpg"	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe

Drops file in Program Files directory 64 IoCs

Processes:

5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe

description	ioc	process
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\t2k.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\drive.crx.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\kcms.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\java_crw_demo.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\chrome.dll.sig.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-private-l1-1-0.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\management.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ko.pak.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\lt.pak.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
File created	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.locked	5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe

C:\Users\Admin\AppData\Local\Temp\5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe
"C:\Users\Admin\AppData\Local\Temp\5ead6837cbb5d7450c8ae309531e3d1a134e1792f78381ec1642928e2e788e63.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
PID:1204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini
MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit

Analysis

Sharing