Analysis
-
max time kernel
139s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-04-2021 13:28
Static task
static1
Behavioral task
behavioral1
Sample
8a1c3ee0e1919990ff018eb286566b50.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8a1c3ee0e1919990ff018eb286566b50.bin.exe
Resource
win10v20210410
General
-
Target
8a1c3ee0e1919990ff018eb286566b50.bin.exe
-
Size
124KB
-
MD5
3c93f5734de703d7ad198d2dad3b7ca4
-
SHA1
e9e4531a8aa8275fbf9b0e480eaeacd4f5a932b3
-
SHA256
c71384686c8caa0a72dcc7e0a4e93f56b8c66f9523fa1498ec9cf1794144ad70
-
SHA512
eb12c08e4dbca51410c9cd52abe113f01b1951dbe1f13918f927d8c9545de423a27c4377f2ff919f901d5a91ba3f527c0d8e531514b5220f9bbb8bc4b374b35d
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupDisconnect.raw => C:\Users\Admin\Pictures\BackupDisconnect.raw.cerber 8a1c3ee0e1919990ff018eb286566b50.bin.exe File renamed C:\Users\Admin\Pictures\OptimizeMerge.crw => C:\Users\Admin\Pictures\OptimizeMerge.crw.cerber 8a1c3ee0e1919990ff018eb286566b50.bin.exe File renamed C:\Users\Admin\Pictures\RenamePublish.png => C:\Users\Admin\Pictures\RenamePublish.png.cerber 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Processes:
resource yara_rule behavioral1/memory/624-64-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/624-67-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Loads dropped DLL 2 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exepid process 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 8a1c3ee0e1919990ff018eb286566b50.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsSupport = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7xaR2S712xh26sU.exe" 8a1c3ee0e1919990ff018eb286566b50.bin.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a1c3ee0e1919990ff018eb286566b50.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSupport = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7xaR2S712xh26sU.exe" 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Drops file in System32 directory 64 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process File opened for modification C:\Windows\System32\catroot2\edb00466.log 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc3.inf_amd64_neutral_1da6abc36a79974f\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumN\license.rtf 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mstape.inf_amd64_neutral_c2bb3ef1c45cd5a1\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\wd.inf_amd64_neutral_759109899b486d47\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\hcw72b64.inf_amd64_neutral_023772237d3a4ade\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_neutral_b64bd08009e7444f\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1c64.inf_amd64_neutral_30b0b06f47cab8cf\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzscw71.dtd 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\CNC970W.DAT 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj6400t.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_neutral_e3be362bfab667d2\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\license.rtf 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\ja-JP\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\wbem\en-US\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_neutral_5b48c4b1b49ca54a\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPLJ2300.CFG 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOJ2600.CFG 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\migration\en-US\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbr00a.inf_amd64_neutral_aa4f0850ff03674e\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF4A63L.XML 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\migwiz\PostMigRes\data\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYW7QUR4.XML 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\IME\IMEJP10\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\lv-LV\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_neutral_716a306ec3899e04\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4200t.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigApp.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_neutral_db76873d4261eb11\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOJ7400.CFG 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmetri.inf_amd64_neutral_f89b8a357327f615\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO1500T.XML 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\SysWOW64\locationnotificationsview.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-ADFS-DL\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription pid process target process PID 1632 set thread context of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN022.XML 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files\Java\jre7\lib\amd64\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files\VideoLAN\VLC\lua\http\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Drops file in Windows directory 64 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-i..onal-keyboard-kbdsf_31bf3856ad364e35_6.1.7601.17514_none_dc81a23f2b5aacf6\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\drag.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..ese-virtuallexicons_31bf3856ad364e35_6.1.7600.16385_none_4461f03928e3378d\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Default.wav 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..vider-dll.resources_31bf3856ad364e35_7.2.7601.16406_en-us_7354fb0428db8bda\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft.windows.dsc.core.resources_31bf3856ad364e35_7.2.7601.16406_en-us_324d4cb33f1bc8c6\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_netfx-mscorpjt_dll_31bf3856ad364e35_6.1.7600.16385_none_d77af9a299d44999\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\Media\Characters\Windows Default.wav 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..ion-netsh.resources_31bf3856ad364e35_6.1.7600.16385_en-us_26755b3cf4f83e8e\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_en-us_145b9a152dcf317c\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-format_31bf3856ad364e35_6.1.7600.16385_none_265f38d5eb4d284a\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-timedate_31bf3856ad364e35_6.1.7601.17514_none_91b39661220c0b0a\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_srpuxnativesnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_509c17d312183abd\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp3.jpg 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-chkwudrv_31bf3856ad364e35_6.1.7600.16385_none_e310d8704f99ffc7\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.1.7600.16385_none_f72b6337a9731440\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.5.7601.17514_none_05454dfbda0d69c8\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_9ed31df1798cc171\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-kernelstreamingsupport_31bf3856ad364e35_6.1.7600.16385_none_bde9acc8f46cb6db\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_c81348afa0c88995\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-videoport_31bf3856ad364e35_6.1.7600.16385_none_180f3dba1e158073\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a30ceec4cc4e21a8\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7d4dd7ec25670124\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..emutilityfatlibrary_31bf3856ad364e35_6.1.7600.16385_none_aa56df3c7375ad12\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\msil_microsoft.windows.d..providers.resources_31bf3856ad364e35_7.2.7601.23317_en-us_cebb84c12f499e04\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\combo-hover-right.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.1.7601.17514_none_b018d97c0418d0df\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-digest-mof_31bf3856ad364e35_6.1.7600.16385_none_882154d1711868d5\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_pt-pt_bcd447c1f0c30137\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\msil_microsoft.data.serv..owershell.resources_31bf3856ad364e35_7.2.7601.23317_en-us_37460b051e3abf4c\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..d-chinese-shuangpin_31bf3856ad364e35_6.1.7600.16385_none_1e8c88df3830bbcc\TableTextServiceSimplifiedShuangPin.txt 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\combo-hover-right.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPZSCWN7.DTD 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_ru-ru_4b24905cea20b869\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\41.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winocr-tifffilter_31bf3856ad364e35_6.1.7600.16385_none_8f17e9d40553824d\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\square_dot.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-synceng_31bf3856ad364e35_6.1.7600.16385_none_bc3ea04f9f2cedf4\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-ieadvpack_31bf3856ad364e35_11.2.9600.16428_none_b1495d82e39ccc79\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-smartcardplugins_31bf3856ad364e35_6.1.7601.17514_none_7992975835f65c9e\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.1.7600.16385_none_09906177615c2112\WebAdminPage.cs 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_server-help-chm.comexp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_251c978d797d5c4b\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\Boot\PCAT\en-US\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ce9950e8870ce4ec\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_24fb4a662264c972\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..oler-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_83cc51ad1b26becc\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft.managemen..ta.events.resources_31bf3856ad364e35_7.2.7601.16406_en-us_f4c24a55114301af\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..chrecognizerenu.ale_31bf3856ad364e35_6.1.7600.16385_en-us_2a26b846c28f1791\wp1033.bin 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\auxpad.xml 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_wsdscdrv.inf_31bf3856ad364e35_6.1.7600.16385_none_2c33389ae33260ae\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_64222f560083ded6\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp3.jpg 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..tomizationsnonwinpe_31bf3856ad364e35_6.1.7601.17514_none_29f4eed2a5d64c25\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_f8210304686499ec\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..p-cleanup.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00d364258c12a004\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File created C:\Windows\winsxs\x86_netfx35linq-system.net_31bf3856ad364e35_6.1.7601.17514_none_fddc165478b1f2d0\HOW TO DECRYPT FILES.html 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe.config 8a1c3ee0e1919990ff018eb286566b50.bin.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\shuffle_over.png 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\DefaultIcon 8a1c3ee0e1919990ff018eb286566b50.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7xaR2S712xh26sU.exe,0" 8a1c3ee0e1919990ff018eb286566b50.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\shell\open 8a1c3ee0e1919990ff018eb286566b50.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7xaR2S712xh26sU.exe" 8a1c3ee0e1919990ff018eb286566b50.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cerber\ = "NOEPTEJBOAZIRJV" 8a1c3ee0e1919990ff018eb286566b50.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV 8a1c3ee0e1919990ff018eb286566b50.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\ = "CRYPTED!" 8a1c3ee0e1919990ff018eb286566b50.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\shell\open\command 8a1c3ee0e1919990ff018eb286566b50.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOEPTEJBOAZIRJV\shell 8a1c3ee0e1919990ff018eb286566b50.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cerber 8a1c3ee0e1919990ff018eb286566b50.bin.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8a1c3ee0e1919990ff018eb286566b50.bin.exedescription pid process target process PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe PID 1632 wrote to memory of 624 1632 8a1c3ee0e1919990ff018eb286566b50.bin.exe 8a1c3ee0e1919990ff018eb286566b50.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe"C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe"C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe"2⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\11.gifMD5
71e80af2e6a1ff5e3b3289f48062aa80
SHA1f25e4e69d0d510c71bcdc67ab4da2266c694e2b7
SHA25673911a7249188fda4c15aed5fe4026fe9e3ac061cc5d4c5d31efb96ec5e80a8b
SHA512b45b04e268082f9bea74b7f612c0fd26f1faf2a15103624eff5634861e5f1fea060ff49c36975083e8a37db42a23bbc0d5f0673574c2524704fc185008497eae
-
C:\Users\Admin\AppData\Roaming\EmbeddingExampleXML2FO.pngMD5
1b3aa75f043053bc5cc59527e3853a75
SHA165d2c4910aea8dc6f67a2caf3760f6169b6fe61d
SHA256af9082203ec286cd1451755c32676bc585e30901ba37ae2a1518bd07c02e87d3
SHA512e25e4d2ab42d3dbc14935f19c3d432e234dab2e113c411f8f8e3aad58b823ae0d7f7046eba57c680b5c18332d99621f1f52c5d53136007a8f3e5934ce311a6aa
-
C:\Users\Admin\AppData\Roaming\README_uk_UA.txtMD5
e98722a9f0f83e5de3857a290cb837ef
SHA1f0f9e8c130c443454409d4e3a0db370a89f81c41
SHA256ebf82f0263f798a86db05d69c860d93e9d3d9d38e2ac347e0133b4d7f7cfe19c
SHA51246bf03b7fd6871fd60699568d5680e45ab197397f7fc696dacc613fbadb313e86b5cfc1bfbcfd1057314135d88cb1dd51d3d814885a65fb2ef5575f3479cc90a
-
C:\Users\Admin\AppData\Roaming\Title_mainImage-mask.pngMD5
a534dbb39b25cd463993c98a10f21be7
SHA1da990ed559100f15b56f8eb355483627f25fedbe
SHA2562b7c4ad5f01ace9583241dde497ce1fa8c812c4578810ac9b9aedd0bba5e9ffa
SHA51228417c207b12dcf6fec18031370facedda07ee11e01ed610e87beaa30805851668205d3bc9561b0c3124a48db199f371a540064fdbefb5b4e66ca3f0bf130102
-
C:\Users\Admin\AppData\Roaming\additional_tools_get_help_icon.pngMD5
d01ed2f7d7f6107a8583710c0e88eb81
SHA149a5fd44b434aa98975a1e74bebffeabf873fb44
SHA25646bc2bdb446644dcf207f8115a465ab34ce961510828fa346f0a846e4a11b14f
SHA512b8baac8346ce992c2176d06c0e7b37d687d59ff60e31c813ab05110b0402f8b43c62fb582e1abffb34c5bc676510aa87d3e2d78adefc65532eca731e3293a217
-
C:\Users\Admin\AppData\Roaming\backup.pngMD5
6ed51081962a1d8cf23c43605c6b09f0
SHA10419fdc5163216da78c2d80495897149a508109d
SHA256c4e27de236a56caee688afd40049f18c5b9a8fdde302930110b0c7f10375862e
SHA512864ab8325afed2b5635c30a29b0585a292aaae14b3415f54d78605bea3c7c203c6357531c587043e9154f43020f10d591949477f1a3cfc05941e70c509119595
-
C:\Users\Admin\AppData\Roaming\body.font.family.xmlMD5
741ebea20d92252476c181f1b5b7fb80
SHA15495217cb8434bfba68e7a821731b35ba7397729
SHA2563e4bc0ae5f439dd0bcefab715bad539c2d869f88f0723cd12de1efd67da4bdd9
SHA5123980a36f0389f33da1ac16fbca8c14e859846da7cd0707c4ed7bb1be9a056f113544b7f0dee37c10e68d7a602c7fd85836bb5dd8fb7f6a891b5dac792a32e393
-
C:\Users\Admin\AppData\Roaming\callout.list.table.xmlMD5
8c441654fcd4735162cd808447e88af8
SHA16ea09c1a61b1d4261ac931c84b67f1b8bb4f7beb
SHA25688454cdf2039ac24294b9bddecd6fa72a70c3b8313af0a91ceabf6268b400e58
SHA512a5d5bba5b2684042ac5e562d271dbc971ab89d8ce4837c1bfb82d061802af92ab71a5128c3f649f16832dcd74120d3dec40178ae11a4c3e3fc4094a58107907b
-
C:\Users\Admin\AppData\Roaming\checkbox_normal.pngMD5
dda9098e3d99d8c19f89ad6dbb5a34ae
SHA1211304833c001d3bc1f3b7c0dd84db72da016930
SHA256e3348498654980867afaf8e71f82d252cf5dc49d9e548ee8501fc598934ee426
SHA51256248ce105788acf270ec197bd40609f8db838ca6bedec7040000ebc89f4361732519760d397f2d44fc9ef9f6df36e8ccaddcf28f282dcd6e63d4b255816a305
-
C:\Users\Admin\AppData\Roaming\description.xmlMD5
5db4e1c1fc3924e60534f8df377e5460
SHA160da040e88331590614af43d291939e703e756df
SHA25610cb3a8816567dac7628cf3e51e637bb8730fff1fb36e52cffb1774cebdca3bb
SHA51278b4b29cdbb985c11abb93d5e7175973c1d2590a7f6c9e5a7c83f901e6645c6bdddabc442daa708c57f71aaa45d907840b2548dc8786e644cf6a8cd57e2af17f
-
C:\Users\Admin\AppData\Roaming\formal.object.properties.xmlMD5
c6da466da7bc3f969b34f6b0f46f5b0a
SHA15047ba82ac25506767079ddf156ff6dfb8bfe24d
SHA256c686ea8d6b485c5cf77c035d949e5ee58e7ac4be65fcf940686cbc14213264a5
SHA5129c76e79615e9434917efa96fffeffa1909fb9192708a02cecf6b6005e2ce8fa481bf0e80ffac26c2b945954a0ed2df87539632162cd02244f71be89c847ded33
-
C:\Users\Admin\AppData\Roaming\html.extra.head.links.xmlMD5
2fac14c88cb12905230ed9da3ac993d2
SHA1411e7669c2756918bad08b82c146bb62e3c6378d
SHA2561901c63e8606e7be89a00571b5b980a7895f4cf16fdef13e1a64b2faf655162c
SHA51296fb9dca831cfdfa718bc7500c66a6ad782db57227f26c64448283522f94b5ac1bc63911892fcdca2e9deafe1a1a86c581b971e85a681a36f314c156393a2468
-
C:\Users\Admin\AppData\Roaming\htmlhelp.button.jump1.title.xmlMD5
09f122a61b82b26526eaa4216dd5dd83
SHA1e5f4b42cbbc8d49128f46d796b1daa2298424f2c
SHA2566bcc2222944ad141c58680b2498b4477814d46314a612762efe9f61a815544f3
SHA512f48768689f573c60394229f6761d8cbe9e13874ddbb48416c943728340b7a151cd57bb97f16063753a2d9dc806e02d887bc17bcd794f5254a02a3f622cd067dc
-
C:\Users\Admin\AppData\Roaming\nonopt.jsMD5
6b4ef092f48591188867156535f40586
SHA13876f4b3eec2d24d8c804305788a9733add332e3
SHA256d0c9b17d5154d0093234bdda25fd60d193ddb517aa9e3a3da3262ee63d5ad82d
SHA5126d6914151b456512a50cbd1f2d6fb1c90a41f0561e93df59c3b47987586c0e69a9d73ab0c47d7e5d82c72a7ac76d534bfc4fb1ebf2c63c7c61ec3c57177d4121
-
C:\Users\Admin\AppData\Roaming\output.indent.xmlMD5
9215752f0ca40036244f01afcf1a837d
SHA163d2ea9aafb823a711e2012b491647ebbf6e9be2
SHA256ab19889554d2e3a5c4d0b0a36673d64df4f9f5ccbecf895488254c93afdd8d79
SHA5124b59efde0b1e095ae8c4f860190d8327a9663a550c7725c38b6e75d105d660f27ea4b06948e10299b6e7993b258c9a2973b2233a16a4bf5399f4617e2ffdfb70
-
C:\Users\Admin\AppData\Roaming\phone.pngMD5
e861693c9904060c0a3defc08b58eb9c
SHA139d84135adcf8a3bd80baf4b3f6a3e22a3e10a53
SHA256069b5121529b0e81374bca8408fa6b1de0c2a8420c417f1bafb0dc2b725f72a8
SHA51295da0bd00f31dcd7c1edeb92c24edf5791f681d3090026763078fc5ececfef339bd74049df9c066d6c746beed7db85fc90bcf7805801fa7ee86178e856777d34
-
C:\Users\Admin\AppData\Roaming\play-static.pngMD5
7898207290f8d86a4a58985d18674538
SHA10e7187f7f82e6b4a81826c10fc917554a52e01db
SHA2561b30b4536931d0c79152a4af8b51ff188988947086a314f4419be243e567980e
SHA512240f7ce2f84f559f05058227b2604fc0b99d97d6f03051c71af2e4989b6c9eeb160a4ad5bb1890978d71afcb697ea1b748ec957f0a50291475f36174159ca7eb
-
C:\Users\Admin\AppData\Roaming\printer.pngMD5
bd09b3de440413ad45dc037b889889c7
SHA1c1e72444a7a0697c8622fa84a881d4fe644a2de4
SHA256657d65c54ada3ba5dd5a20ff326cc496723f41979f09b443bbf88658c45f4c8a
SHA512637b5da35672ff6a9ad36518c7007c3bd0fb102d09c4ea30fc324071991650b5c45bac712ca509f340785aeb32e69969bb024b028dc35f60b93911a35561e82e
-
C:\Users\Admin\AppData\Roaming\rebuild-all.xmlMD5
9a002974e41bd4fbddee78e1d8baa168
SHA1f1eccc8b4edc7e33f866694668e4238c77c024f4
SHA25628ccb66608ae1d7f73545ab5f49ce2b81ed06b79e7169ea030b4102830a18f9a
SHA512d28ebd41f9dea6c22e37d13e06811cd5feb4de5fdcbe44c6faee4b4116b20812d7de4b43508fae823dae6070ee3c9f45e03b0e9d47b47d75e2474794c0c8ec37
-
C:\Users\Admin\AppData\Roaming\speaker.pngMD5
88efd1161cf4654856f261f89cbd16fa
SHA1bcc3c2e4c4e0189ae69bc39a7261e920580d631a
SHA2567e5ab6d48d5e03b93c1fac0ce126ea28e6abce29f6ae506a217f12234c13ca78
SHA512fa0f489d2a89782723079dcb667858f3df35066d8bd7f1074eab39e99fb1c0ac12e84e06f4733c6d665458f33ab3c6ea819fdd8647674a4ea63a62cc33ee810d
-
C:\Users\Admin\AppData\Roaming\startTest-2.pngMD5
70cf7033b10b2986ef79e91a2124c47f
SHA164da3d4452b6588bd5c7770954ab0fe735fe818a
SHA2564b9b30bd26135d5e5ef0d2fe72f8309f2092ac0bebe851b1b56f663389bc3820
SHA51204a1d8dd12ac774313d341183355c6fb318dc8db107d896b171ca1a2e3e6bcb350b1e6fe87a7fb71c3eb6c06375e08bf3491862dcd2e2824ed4f56dbd70cae65
-
C:\Users\Admin\AppData\Roaming\test.jsMD5
b0078e645316564f40400933e6ce7be8
SHA147f9401df7932d243d387d2d4cd3e08cc217ddbb
SHA256797f5ac99db9433c19300bb549380800f487d00102e7c14eed4757b1fb8e0d25
SHA5120203dec33873ce50400ccc6583aa5690bf4eff6e7b405fc0d72b6033fa7bcb9624111f0b35fab876485417a81c4138daf71eba2a86d9cb21c9adf165cc67a2a7
-
C:\Users\Admin\AppData\Roaming\toc-blank.pngMD5
362d67f899016b3165be05f860f2bb58
SHA1bad55f41d26ce462f13379b8e4ac7825704c8536
SHA256dede084d552bd7b8f56815cdaa5838ff88202f90e50022d9af933da0edc4856c
SHA512e2e4bcd02ca884abb8caebd5189d3614f1d425d03c7ce64fa2d2f855335430ca28e6243fd25b5d6aad07beb1695df1e1776cc4369f332ea62fa7dd61f38f6e55
-
C:\Users\Admin\AppData\Roaming\toc.list.type.xmlMD5
43857d8eeeab390852d5ea5cd7b9e886
SHA11bad0716afe3e86ee1b36a33d7f3c5d840333118
SHA2566d441a2f06dec53852478760f60c3f4df6c789410bdd45477fae052685aa0ac2
SHA51296d4d9c829dc3ab83aabdd69545fe8bfacd3d77fd10a863dc921cb1b1321405094e67ce10537fb5567e17627bd3faf547b953d35d702d74cf816debbb0e4d36a
-
C:\Users\Admin\AppData\Roaming\uninstall.pngMD5
8dd3b69ef8d9f556e73b2180f4f9a6f3
SHA18a660110ac1b86bb588e4baa2b7e0f71c1180f57
SHA2564ca0a43918d222639034eff1617e0619ab6f37307ffa4d3fd4bcae21be9addc4
SHA51299f3a00f311e381dfdb46febb56d1f234ba7b734f74b07bedae43e39e5e71ba359312cc23fcdb7c74e60891f5508834e6e27b96248c2be3290f7e09d551b0c02
-
C:\Users\Admin\AppData\Roaming\xbCollapsibleLists.js.xmlMD5
1f95e0cbd011cbba77dab38f891d2608
SHA1c9c08934d2763a46a06d7bb655e1d9165ee4d8a3
SHA256330bc9c93e771b86782867511f48b0d5de222d791e912456626380aaf9deaf6c
SHA5129b32f90e01f7da857cc3608e76865066480034a78e5c46679cf4dc88a7dc85c2bdf56992fa0bdcd25e63dc972babeacd169fd31fd08260249e0f0d93e52f487b
-
\Users\Admin\AppData\Local\Temp\nsi5AFD.tmp\System.dllMD5
883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
\Users\Admin\AppData\Roaming\IP.dllMD5
c54d2d96c56ff690e39d0d7608d6ead6
SHA1f929f3e499c871930942ede00d718db4894dbb19
SHA2563cbacb864a94e8f0b0d4fa1b578ace134d0d0582c62b8b7cc809a42cecd1348e
SHA51203d9f7d32918351dc6750043b79d583829ea53b4d7c51f0b042dbab267e3b4046dc4339875b99721435be9b81e113043a30eb5472671a3762eccdc7f6c369603
-
memory/624-67-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/624-64-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/624-65-0x000000000040C680-mapping.dmp
-
memory/1632-63-0x0000000000360000-0x000000000036D000-memory.dmpFilesize
52KB
-
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB