targetcompany | 863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1

General

Target

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
Size

128KB
MD5

d687eb9fea18e6836bd572b2d180b144
SHA1

0e7f076d59ab24ab04200415cb35037c619d0bae
SHA256

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1
SHA512

16aed099d7d1131facb76591176566a9de9a140948f467b7a43d7518215ce24490956b0996d0f7638cf0d313947f12d91d145ebe4d584779e119707d59463684

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\How to decrypt files.txt

Family

targetcompany

Ransom Note

Your personal identifier: 4FFBEE10F033 All files on TOHNICHI network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�

URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2948 bcdedit.exe
2428 bcdedit.exe

pid	process
2948	bcdedit.exe
2428	bcdedit.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MergeSplit.tif => C:\Users\Admin\Pictures\MergeSplit.tif.tohnichi	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File renamed	C:\Users\Admin\Pictures\ReceiveRename.raw => C:\Users\Admin\Pictures\ReceiveRename.raw.tohnichi	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File renamed	C:\Users\Admin\Pictures\RevokeTest.crw => C:\Users\Admin\Pictures\RevokeTest.crw.tohnichi	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File renamed	C:\Users\Admin\Pictures\SyncBlock.tif => C:\Users\Admin\Pictures\SyncBlock.tif.tohnichi	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

description	ioc	process
File opened (read-only)	\??\A:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\F:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\G:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\J:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\L:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\Q:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\I:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\M:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\N:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\W:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\B:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\E:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\H:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\K:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\P:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\R:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\T:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\Z:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\O:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\S:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\U:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\V:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\X:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened (read-only)	\??\Y:	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

Generic Ransomware Note 64 IoCs

Ransomware often writes a note containing information on how to pay the ransom.

Processes:

yara_rule
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note

Drops file in Program Files directory 64 IoCs

Processes:

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELM	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark@2x.png	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\.lastModified	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main.css	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-down_32.svg	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\How to decrypt files.txt	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2604 vssadmin.exe

pid	process
2604	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

pid	process
900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
Token: SeDebugPrivilege	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.execmd.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 2604	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe	vssadmin.exe
PID 900 wrote to memory of 2604	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe	vssadmin.exe
PID 900 wrote to memory of 4028	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe	cmd.exe
PID 900 wrote to memory of 4028	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe	cmd.exe
PID 900 wrote to memory of 3264	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe	cmd.exe
PID 900 wrote to memory of 3264	900	863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe	cmd.exe
PID 4028 wrote to memory of 2428	4028	cmd.exe	bcdedit.exe
PID 4028 wrote to memory of 2428	4028	cmd.exe	bcdedit.exe
PID 3264 wrote to memory of 2948	3264	cmd.exe	bcdedit.exe
PID 3264 wrote to memory of 2948	3264	cmd.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
"C:\Users\Admin\AppData\Local\Temp\863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\System32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2604

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:3264