Analysis
-
max time kernel
23s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 16:24
Static task
static1
Behavioral task
behavioral1
Sample
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
Resource
win10v20210408
General
-
Target
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe
-
Size
71KB
-
MD5
97780c0075e7749f8880f41b91f8892f
-
SHA1
dfa6e362535ddfeb7df53b29cc6830617d581df1
-
SHA256
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a
-
SHA512
fbe6cd18a2a2703ef3a747c029b72945c1bad467dad035910098590b66eeece92c1cbf4ce35adb5da0481ab700aa9a565c450b92883a78f82d933546fa6d65ed
Malware Config
Signatures
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exedescription ioc process File renamed C:\Users\Admin\Pictures\UseUnregister.crw => C:\Users\Admin\Pictures\UseUnregister.crw.C5FD50131E8DE5718091D61E7F56AA5F949986AF97ED8D26F780FF3611407B78 ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File renamed C:\Users\Admin\Pictures\StopImport.png => C:\Users\Admin\Pictures\StopImport.png.8D615E00F7EB53F46895D5A044E0D7270B72084FA0DB9F78C9F3BC1EF2BA1769 ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Pictures\UpdateRestore.tiff ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File renamed C:\Users\Admin\Pictures\UnprotectResume.crw => C:\Users\Admin\Pictures\UnprotectResume.crw.6B7A602B48476519B876FC1AC575F6CB4DDB5CF636D7F07409DFED3FF82A6A7B ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File renamed C:\Users\Admin\Pictures\UpdateRestore.tiff => C:\Users\Admin\Pictures\UpdateRestore.tiff.9EFF13523916000578059442C900F63DE3E1667324EB156BB23B49063A23C20A ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe -
Drops startup file 1 IoCs
Processes:
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
Processes:
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exedescription ioc process File opened for modification C:\Users\Public\Pictures\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\Videos\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\Documents\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Music\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Public\Music\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened for modification C:\Users\Admin\Links\desktop.ini ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exedescription ioc process File opened (read-only) \??\R: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\O: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\F: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\X: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\M: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\Q: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\E: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\Y: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\U: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\J: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\K: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\Z: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\V: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\W: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\T: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\P: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\S: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\G: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\B: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\N: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\I: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\H: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe File opened (read-only) \??\L: ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 64 vssvc.exe Token: SeRestorePrivilege 64 vssvc.exe Token: SeAuditPrivilege 64 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe"C:\Users\Admin\AppData\Local\Temp\ca5751036a12d0a9fba5f2c6cd2bde61b9c40e1607f751c39212b9c9a94c6b5a.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken