e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

General

Target

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
Size

3.5MB
MD5

3d1cc4ef33bad0e39c757fce317ef82a
SHA1

f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac
SHA256

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60
SHA512

8294b31a0f12fdc583ec1df5b9e36dfbb53745588da517c8c7842b197f96190b3228c759604df60159265e0f384bae0042ccc63ee966e81dc59b89b934b94e5b

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Fix-Your-Files.txt

Ransom Note

-------------------------------------------- | What happened to your files? -------------------------------------------- We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry! You can still get those files back and be up and running again in no time. --------------------------------------------- | How to contact us to get your files back? --------------------------------------------- The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com ------------------------------------------------------- | How can you be certain we have the decryption tool? ------------------------------------------------------- In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets). We will send them back to you decrypted.

Emails

bapcocrypt@ctemplar.com

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 3 IoCs

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\12.jpg	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\resources.pri	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-100.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\NavColumn_Black\Icon_Advanced Layout.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-100.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-200.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.scale-125.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\talking.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-400.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\sr-latn-cs\mso.acl	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hexagon.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Golden_Pharaoh_.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\commonassets.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Spilt_42.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.8883896e.pri	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\Upsell\calendar.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Input.Ink.Analysis.winmd	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\win_logo_black.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_accessibility.xml	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-24.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_6.jpg	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_activityAlert.targetsize-48.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\ui-strings.js	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectStoreLogo.scale-125.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WideTile.scale-100.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-100.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_20x20x32.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_20x20x32.png	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

pid	process
504	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
504	e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3748 vssvc.exe
Token: SeRestorePrivilege 3748 vssvc.exe
Token: SeAuditPrivilege 3748 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3748	vssvc.exe
Token: SeRestorePrivilege	3748	vssvc.exe
Token: SeAuditPrivilege	3748	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.sample.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:1480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads