e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

General

Target

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
Size

3.5MB
MD5

3d1cc4ef33bad0e39c757fce317ef82a
SHA1

f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac
SHA256

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60
SHA512

8294b31a0f12fdc583ec1df5b9e36dfbb53745588da517c8c7842b197f96190b3228c759604df60159265e0f384bae0042ccc63ee966e81dc59b89b934b94e5b

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Fix-Your-Files.txt

Ransom Note

-------------------------------------------- | What happened to your files? -------------------------------------------- We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry! You can still get those files back and be up and running again in no time. --------------------------------------------- | How to contact us to get your files back? --------------------------------------------- The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com ------------------------------------------------------- | How can you be certain we have the decryption tool? ------------------------------------------------------- In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets). We will send them back to you decrypted.

Emails

bapcocrypt@ctemplar.com

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TraceRevoke.tiff	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File renamed	C:\Users\Admin\Pictures\OptimizeFormat.tif => C:\Users\Admin\Pictures\OptimizeFormat.tifwQtKr	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File renamed	C:\Users\Admin\Pictures\RequestApprove.crw => C:\Users\Admin\Pictures\RequestApprove.crwYFHzv	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File renamed	C:\Users\Admin\Pictures\TraceRevoke.tiff => C:\Users\Admin\Pictures\TraceRevoke.tiffmealj	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 4 IoCs

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15168_.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-PT.pak	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01178_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_K_COL.HXK	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.DPV	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03668_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jce.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

pid process

2016 e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1008 vssvc.exe
Token: SeRestorePrivilege 1008 vssvc.exe
Token: SeAuditPrivilege 1008 vssvc.exe

pid	process
2016	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

description	pid	process
Token: SeBackupPrivilege	1008	vssvc.exe
Token: SeRestorePrivilege	1008	vssvc.exe
Token: SeAuditPrivilege	1008	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads