e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c

General

Target

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
Size

7KB
MD5

ebbc82f619471384f392efd5c4d05883
SHA1

17d91b45c8615d0f09d1100d2be396cbcba21fde
SHA256

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c
SHA512

3e33bd22c440e9ab4a065d216467c1220780aa2a39a38ea4aec81d050d3e6048e87244341fbeac2cdefebae9fe987b713e0d4fcf34adf1390b5ccda6dd448241

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\odt\!_READ_ME_!.txt

Ransom Note

Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: saveinfo89@yahoo.com === BEGIN === AD7D6889 010200000168000000A40000BD7DB4E2EBEE1544 BEB9D99571A8D84A7040F22B0ADB6E3B833BCF2E C5D4F995343F6EDF3093A92CFA8FBD94D168F792 6C9C083E7B47B200F51447AB4F543AB74F873474 733C6A6C982B49CB40F4DABEB74CB526713A9A6C 28A36B0BAAFED1D100DCDFCD66AE0B46AA71F64C C85D9710D96244EF863BCFEE2A54DB405DC40B30 === END ===

Emails

saveinfo89@yahoo.com

Signatures

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

3804 WScript.exe

pid	process
3804	WScript.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	ioc	process
File opened (read-only)	\??\O:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\V:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\W:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\Y:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\Z:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\I:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\L:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\M:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\S:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\T:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\U:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\F:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\P:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\R:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\X:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\E:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\H:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\K:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\Q:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\G:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\J:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File opened (read-only)	\??\N:	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.jpg._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js._CRYPT	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\!_READ_ME_!.txt	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe

description	pid	process	target process
PID 3128 wrote to memory of 3804	3128	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe
PID 3128 wrote to memory of 3804	3128	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe
PID 3128 wrote to memory of 3804	3128	e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.vbs"
2⤵
- Deletes itself
PID:3804

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c.sample.vbs
MD5
aadec5d9ed737fb7491d58088cf11345

SHA1
caaed15d7bbd693020a7dcf4a6a9866c17c6d8d9

SHA256
c8d7e47fcb3a4345202f7ef3fd0db90eb1a1b9cab44e91a9befab3ec3dfa6476

SHA512
abfdde6d7176384b5f5a92a1373f8ae41789f8a3d1d88313d1c85bd742e4d824a203430db2efa2a09bd6c43595219cf2dfdd00281de68c001fa62bc70cafb1ac

Download Submit
memory/3804-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads