f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31

Analysis

max time kernel
66s
max time network
68s
platform
windows7_x64
resource
win7v20210410
submitted
08/08/2021, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
Size

1.2MB
MD5

6f21a85894e91b7082407e08e7c231c8
SHA1

f576ed4ae101088abcb2b6b9b0649b972b023546
SHA256

f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31
SHA512

deada7181f11badc0d64d1cab50951eab6472c178382b2ceff52a8aae447578a97f640e4a74b34889146df7c435a2a29f72f140e50f8345543ef422e4cd41a44

Score

9^/10

evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1340	bcdedit.exe
1764	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
212	wbadmin.exe
268	wbadmin.exe

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Modifies extensions of user files 30 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ResolveOpen.tiff => C:\Users\Admin\Pictures\ResolveOpen.tiff.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveOpen.tiff.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeRead.tif.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepDisable.crw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SearchUndo.tiff	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\SearchUndo.tiff => C:\Users\Admin\Pictures\SearchUndo.tiff.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectRead.raw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\ExpandStart.crw => C:\Users\Admin\Pictures\ExpandStart.crw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\ExpandStart.crw.inprocess => C:\Users\Admin\Pictures\ExpandStart.crw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\ResumeRead.tif.inprocess => C:\Users\Admin\Pictures\ResumeRead.tif.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SearchUndo.tiff.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectRead.raw => C:\Users\Admin\Pictures\UnprotectRead.raw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectRead.raw.inprocess => C:\Users\Admin\Pictures\UnprotectRead.raw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\FormatSelect.raw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveOpen.tiff.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\SearchUndo.tiff.inprocess => C:\Users\Admin\Pictures\SearchUndo.tiff.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandStart.crw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatSelect.raw.inprocess => C:\Users\Admin\Pictures\FormatSelect.raw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\FormatSelect.raw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\ResolveOpen.tiff.inprocess => C:\Users\Admin\Pictures\ResolveOpen.tiff.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeRead.tif.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\StepDisable.crw.inprocess => C:\Users\Admin\Pictures\StepDisable.crw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandStart.crw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepDisable.crw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\ResumeRead.tif => C:\Users\Admin\Pictures\ResumeRead.tif.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SearchUndo.tiff.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\StepDisable.crw => C:\Users\Admin\Pictures\StepDisable.crw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatSelect.raw => C:\Users\Admin\Pictures\FormatSelect.raw.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveOpen.tiff	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectRead.raw.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Deletes itself 1 IoCs

pid	Process
208	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe\" e"	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\N:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\P:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\S:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\X:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\U:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\W:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\J:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\M:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\E:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\A:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\T:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\Z:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\B:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\H:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\K:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\D:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\Q:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\R:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\I:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\O:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\V:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\Y:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\G:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\L:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\da266c6b-fa73-4f51-a7eb-a0fd3aba48c6.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\SAM	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Swift_Current	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Sofia	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+3.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Chita.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recife.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Anchorage.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Minsk	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\HST.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.1btc	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.inprocess	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
616	vssadmin.exe
1620	vssadmin.exe
1604	vssadmin.exe
864	vssadmin.exe
524	vssadmin.exe
1396	vssadmin.exe
1328	vssadmin.exe
228	vssadmin.exe
1116	vssadmin.exe
1724	vssadmin.exe
268	vssadmin.exe
796	vssadmin.exe
1568	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	796	wmic.exe
Token: SeSecurityPrivilege	796	wmic.exe
Token: SeTakeOwnershipPrivilege	796	wmic.exe
Token: SeLoadDriverPrivilege	796	wmic.exe
Token: SeSystemProfilePrivilege	796	wmic.exe
Token: SeSystemtimePrivilege	796	wmic.exe
Token: SeProfSingleProcessPrivilege	796	wmic.exe
Token: SeIncBasePriorityPrivilege	796	wmic.exe
Token: SeCreatePagefilePrivilege	796	wmic.exe
Token: SeBackupPrivilege	796	wmic.exe
Token: SeRestorePrivilege	796	wmic.exe
Token: SeShutdownPrivilege	796	wmic.exe
Token: SeDebugPrivilege	796	wmic.exe
Token: SeSystemEnvironmentPrivilege	796	wmic.exe
Token: SeRemoteShutdownPrivilege	796	wmic.exe
Token: SeUndockPrivilege	796	wmic.exe
Token: SeManageVolumePrivilege	796	wmic.exe
Token: 33	796	wmic.exe
Token: 34	796	wmic.exe
Token: 35	796	wmic.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1724	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	26
PID 1020 wrote to memory of 1724	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	26
PID 1020 wrote to memory of 1724	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	26
PID 1020 wrote to memory of 864	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	34
PID 1020 wrote to memory of 864	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	34
PID 1020 wrote to memory of 864	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	34
PID 1020 wrote to memory of 268	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	36
PID 1020 wrote to memory of 268	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	36
PID 1020 wrote to memory of 268	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	36
PID 1020 wrote to memory of 796	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	38
PID 1020 wrote to memory of 796	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	38
PID 1020 wrote to memory of 796	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	38
PID 1020 wrote to memory of 524	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	40
PID 1020 wrote to memory of 524	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	40
PID 1020 wrote to memory of 524	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	40
PID 1020 wrote to memory of 1568	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	42
PID 1020 wrote to memory of 1568	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	42
PID 1020 wrote to memory of 1568	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	42
PID 1020 wrote to memory of 1396	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	44
PID 1020 wrote to memory of 1396	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	44
PID 1020 wrote to memory of 1396	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	44
PID 1020 wrote to memory of 1328	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	46
PID 1020 wrote to memory of 1328	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	46
PID 1020 wrote to memory of 1328	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	46
PID 1020 wrote to memory of 228	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	48
PID 1020 wrote to memory of 228	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	48
PID 1020 wrote to memory of 228	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	48
PID 1020 wrote to memory of 616	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	50
PID 1020 wrote to memory of 616	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	50
PID 1020 wrote to memory of 616	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	50
PID 1020 wrote to memory of 1620	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	52
PID 1020 wrote to memory of 1620	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	52
PID 1020 wrote to memory of 1620	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	52
PID 1020 wrote to memory of 1116	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	54
PID 1020 wrote to memory of 1116	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	54
PID 1020 wrote to memory of 1116	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	54
PID 1020 wrote to memory of 1604	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	56
PID 1020 wrote to memory of 1604	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	56
PID 1020 wrote to memory of 1604	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	56
PID 1020 wrote to memory of 1340	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	58
PID 1020 wrote to memory of 1340	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	58
PID 1020 wrote to memory of 1340	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	58
PID 1020 wrote to memory of 1764	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	60
PID 1020 wrote to memory of 1764	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	60
PID 1020 wrote to memory of 1764	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	60
PID 1020 wrote to memory of 212	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	62
PID 1020 wrote to memory of 212	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	62
PID 1020 wrote to memory of 212	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	62
PID 1020 wrote to memory of 268	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	64
PID 1020 wrote to memory of 268	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	64
PID 1020 wrote to memory of 268	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	64
PID 1020 wrote to memory of 796	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	66
PID 1020 wrote to memory of 796	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	66
PID 1020 wrote to memory of 796	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	66
PID 1020 wrote to memory of 208	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	69
PID 1020 wrote to memory of 208	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	69
PID 1020 wrote to memory of 208	1020	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe	69

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe

C:\Users\Admin\AppData\Local\Temp\f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe
"C:\Users\Admin\AppData\Local\Temp\f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31.bin.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1020
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1724
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:864
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:268
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:796
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:524
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1568
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1396
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1328
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:228
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:616
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1620
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1116
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1604
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1340
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1764
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:212
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:268
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F5FB7F~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:208