mountlocker | e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac

General

Target

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
Size

46KB
MD5

2f512bcf9d5fb1930365ecde38f683dc
SHA1

9825ae4ae7c65a4fa622478b60659e1992e7f725
SHA256

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac
SHA512

7819106e25732fe76858d1f4561e7851caee35bd9f10b5b392521fa0f596eb37c174ebbfd959cd5f675d09fa9d4c4325b0f09e9d7d36d8d140a9a0ee6f22beee

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\ResolveHide.tiff	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File renamed	C:\Users\Admin\Pictures\ResolveHide.tiff => \??\c:\Users\Admin\Pictures\ResolveHide.tiff.ReadManual.DF01933C	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File renamed	C:\Users\Admin\Pictures\StartUninstall.tif => \??\c:\Users\Admin\Pictures\StartUninstall.tif.ReadManual.DF01933C	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File renamed	C:\Users\Admin\Pictures\TraceExport.tif => \??\c:\Users\Admin\Pictures\TraceExport.tif.ReadManual.DF01933C	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File renamed	C:\Users\Admin\Pictures\UpdateComplete.png => \??\c:\Users\Admin\Pictures\UpdateComplete.png.ReadManual.DF01933C	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File renamed	C:\Users\Admin\Pictures\WaitBackup.tif => \??\c:\Users\Admin\Pictures\WaitBackup.tif.ReadManual.DF01933C	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

description	ioc	process
File created	\??\c:\Program Files\Java\jdk1.8.0_66\db\bin\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\System\ado\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ne.txt	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Windows NT\TableTextService\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\ui-strings.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\br.txt	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment-2x.png	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files\VideoLAN\VLC\lua\meta\art\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\[email protected]	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_listview_18.svg	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\boot.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\ui-strings.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_mixer\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\javaws.jar	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\RecoveryManual.html	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3088 vssadmin.exe

pid	process
3088	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.DF01933C\shell	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.DF01933C\shell\Open	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.DF01933C\shell\Open\command\ = "explorer.exe RecoveryManual.html"	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.DF01933C\shell\Open\command	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.DF01933C	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exe

pid process

1500 powershell.exe
1500 powershell.exe
1500 powershell.exe
1500 powershell.exe
1500 powershell.exe
1500 powershell.exe

pid	process
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

powershell.exewhoami.exevssvc.exee435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

description	pid	process
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeDebugPrivilege	3000	whoami.exe
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe
Token: SeTakeOwnershipPrivilege	4044	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
Token: SeRestorePrivilege	4044	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exepowershell.execmd.exe

description	pid	process	target process
PID 4044 wrote to memory of 1500	4044	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe	powershell.exe
PID 4044 wrote to memory of 1500	4044	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe	powershell.exe
PID 1500 wrote to memory of 3000	1500	powershell.exe	whoami.exe
PID 1500 wrote to memory of 3000	1500	powershell.exe	whoami.exe
PID 1500 wrote to memory of 3088	1500	powershell.exe	vssadmin.exe
PID 1500 wrote to memory of 3088	1500	powershell.exe	vssadmin.exe
PID 4044 wrote to memory of 208	4044	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe	cmd.exe
PID 4044 wrote to memory of 208	4044	e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe	cmd.exe
PID 208 wrote to memory of 264	208	cmd.exe	attrib.exe
PID 208 wrote to memory of 264	208	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

264 attrib.exe

pid	process
264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden -c $mypid='4044';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259266296.tmp')|iex
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups /user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F74A686.bat" "C:\Users\Admin\AppData\Local\Temp\e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\e435a95489a4ebdfdc12031091f92a7f9c5e3f6cc9b55355ee4030d82553e9ac.bin.exe"
    3⤵
    - Views/modifies file attributes
    PID:264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F74A686.bat

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\~259266296.tmp

MD5
b4f0414c0b3441ce0187ffb1d53b1721

SHA1
d7c4aaac0c8d13029aeae5561cf67a0c39c24bb1

SHA256
85d1f46682fedd1d8fb05564e885873c91879943e937cd292fe607ef6aa9db4f

SHA512
bfb6737ffe8361802719d92aa7c0d2274e88ea0ff45fa5307e964bd822bbfbf749ec9c622a47c68003453d8d8a7253d84d50460cc8b2eb6cacc513b82b27de96

Download Submit
memory/208-141-0x0000000000000000-mapping.dmp

Download
memory/264-143-0x0000000000000000-mapping.dmp

Download
memory/1500-114-0x0000000000000000-mapping.dmp

Download
memory/1500-120-0x000002C7EB200000-0x000002C7EB202000-memory.dmp

Filesize
8KB

Download
memory/1500-119-0x000002C7EB110000-0x000002C7EB111000-memory.dmp

Filesize
4KB

Download
memory/1500-121-0x000002C7EB203000-0x000002C7EB205000-memory.dmp

Filesize
8KB

Download
memory/1500-127-0x000002C7EB540000-0x000002C7EB541000-memory.dmp

Filesize
4KB

Download
memory/1500-140-0x000002C7EB206000-0x000002C7EB208000-memory.dmp

Filesize
8KB

Download
memory/3000-133-0x0000000000000000-mapping.dmp

Download
memory/3088-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads