ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a

General

Target

ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
Size

71KB
MD5

97780c0075e7749f8880f41b91f8892f
SHA1

dfa6e362535ddfeb7df53b29cc6830617d581df1
SHA256

ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a
SHA512

fbe6cd18a2a2703ef3a747c029b72945c1bad467dad035910098590b66eeece92c1cbf4ce35adb5da0481ab700aa9a565c450b92883a78f82d933546fa6d65ed

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExportReceive.tiff	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureUpdate.tiff	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Pictures\UndoRead.tiff	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File renamed	C:\Users\Admin\Pictures\ExportReceive.tiff => C:\Users\Admin\Pictures\ExportReceive.tiff.97B923D6F19D5656773269549E5DC466DF4AB3C57D9F0F2A0E134CBB96372D34	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File renamed	C:\Users\Admin\Pictures\MeasureUpdate.tiff => C:\Users\Admin\Pictures\MeasureUpdate.tiff.C58A74512240B7174ED54CD69DB26C71A2133EBA5F0A11ADA3E14BA1C5571E5A	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File renamed	C:\Users\Admin\Pictures\UndoRead.tiff => C:\Users\Admin\Pictures\UndoRead.tiff.1DAE6766D29899A640DED2D6151F1751617E1CBE5288939FCFF53F888003B506	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 36 IoCs

Processes:

ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe

description	ioc	process
File opened (read-only)	\??\E:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\I:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\G:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\L:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\M:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\W:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\U:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\P:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\J:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\V:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\N:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\Q:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\O:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\S:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\F:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\H:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\K:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\X:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\R:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\T:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\Y:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\Z:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
File opened (read-only)	\??\B:	ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1712 vssvc.exe
Token: SeRestorePrivilege 1712 vssvc.exe
Token: SeAuditPrivilege 1712 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	1712	vssvc.exe
Token: SeAuditPrivilege	1712	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
"C:\Users\Admin\AppData\Local\Temp\ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
PID:1100