0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad

General

Target

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Size

1.2MB
MD5

cc3652c078fa2bdfbbfae33335c30bda
SHA1

b3d3ad0c2c9d526717f55c431d51c2f1e957325b
SHA256

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad
SHA512

d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d

Score

9^/10

evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1724 bcdedit.exe
1904 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1756 wbadmin.exe
220 wbadmin.exe

pid	process
1724	bcdedit.exe
1904	bcdedit.exe

pid	process
1756	wbadmin.exe
220	wbadmin.exe

Drops file in Drivers directory 13 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeStep.tif.inprocess => C:\Users\Admin\Pictures\InitializeStep.tif.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeStep.tif.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveStart.tiff.inprocess => C:\Users\Admin\Pictures\RemoveStart.tiff.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeStep.tif.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1316 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1316	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe\" e"	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\Z:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\B:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\T:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\K:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\H:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\P:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\S:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\V:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\I:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\O:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\W:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\Q:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\R:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\U:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\Y:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\A:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\J:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\L:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\M:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\N:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\X:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops file in System32 directory 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\LogFiles\Scm\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\da266c6b-fa73-4f51-a7eb-a0fd3aba48c6.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\SAM	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\50fc4233-1ec2-41e2-82c7-33fdf44fd413	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7159d68a-652d-40c5-8ef8-48cf3dd69866	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Accra	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santarem.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\GMT	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\HST10	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Hobart.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops file in Windows directory 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exewbadmin.exewbadmin.exe

description	ioc	process
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
656	vssadmin.exe
1156	vssadmin.exe
1996	vssadmin.exe
1744	vssadmin.exe
208	vssadmin.exe
1688	vssadmin.exe
1068	vssadmin.exe
1664	vssadmin.exe
916	vssadmin.exe
744	vssadmin.exe
556	vssadmin.exe
1616	vssadmin.exe
1740	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

pid	process
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1960	vssvc.exe
Token: SeRestorePrivilege	1960	vssvc.exe
Token: SeAuditPrivilege	1960	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1152	wmic.exe
Token: SeSecurityPrivilege	1152	wmic.exe
Token: SeTakeOwnershipPrivilege	1152	wmic.exe
Token: SeLoadDriverPrivilege	1152	wmic.exe
Token: SeSystemProfilePrivilege	1152	wmic.exe
Token: SeSystemtimePrivilege	1152	wmic.exe
Token: SeProfSingleProcessPrivilege	1152	wmic.exe
Token: SeIncBasePriorityPrivilege	1152	wmic.exe
Token: SeCreatePagefilePrivilege	1152	wmic.exe
Token: SeBackupPrivilege	1152	wmic.exe
Token: SeRestorePrivilege	1152	wmic.exe
Token: SeShutdownPrivilege	1152	wmic.exe
Token: SeDebugPrivilege	1152	wmic.exe
Token: SeSystemEnvironmentPrivilege	1152	wmic.exe
Token: SeRemoteShutdownPrivilege	1152	wmic.exe
Token: SeUndockPrivilege	1152	wmic.exe
Token: SeManageVolumePrivilege	1152	wmic.exe
Token: 33	1152	wmic.exe
Token: 34	1152	wmic.exe
Token: 35	1152	wmic.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	pid	process	target process
PID 2004 wrote to memory of 1740	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1740	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1740	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1664	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1664	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1664	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 744	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 744	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 744	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 656	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 656	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 656	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1156	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1156	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1156	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1996	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1996	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1996	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1744	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1744	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1744	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 556	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 556	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 556	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 208	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 208	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 208	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1688	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1688	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1688	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1068	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1068	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1068	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 916	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 916	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 916	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1616	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1616	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1616	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 2004 wrote to memory of 1724	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 2004 wrote to memory of 1724	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 2004 wrote to memory of 1724	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 2004 wrote to memory of 1904	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 2004 wrote to memory of 1904	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 2004 wrote to memory of 1904	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 2004 wrote to memory of 1756	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 2004 wrote to memory of 1756	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 2004 wrote to memory of 1756	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 2004 wrote to memory of 220	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 2004 wrote to memory of 220	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 2004 wrote to memory of 220	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 2004 wrote to memory of 1152	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wmic.exe
PID 2004 wrote to memory of 1152	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wmic.exe
PID 2004 wrote to memory of 1152	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wmic.exe
PID 2004 wrote to memory of 1316	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	cmd.exe
PID 2004 wrote to memory of 1316	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	cmd.exe
PID 2004 wrote to memory of 1316	2004	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

C:\Users\Admin\AppData\Local\Temp\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2004

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1740

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1664

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:744

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:656

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1156

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1996

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1744

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:556

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:208

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1688

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1616

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
2⤵
- Modifies boot configuration data using bcdedit
PID:1724

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1904

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1756

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:220

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0ABB4A~1.EXE >> NUL
2⤵
- Deletes itself
PID:1316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-68-0x0000000000000000-mapping.dmp

Download
memory/220-77-0x0000000000000000-mapping.dmp

Download
memory/556-67-0x0000000000000000-mapping.dmp

Download
memory/656-63-0x0000000000000000-mapping.dmp

Download
memory/744-62-0x0000000000000000-mapping.dmp

Download
memory/916-71-0x0000000000000000-mapping.dmp

Download
memory/1068-70-0x0000000000000000-mapping.dmp

Download
memory/1152-79-0x0000000000000000-mapping.dmp

Download
memory/1156-64-0x0000000000000000-mapping.dmp

Download
memory/1316-80-0x0000000000000000-mapping.dmp

Download
memory/1616-72-0x0000000000000000-mapping.dmp

Download
memory/1664-61-0x0000000000000000-mapping.dmp

Download
memory/1688-69-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1740-60-0x0000000000000000-mapping.dmp

Download
memory/1744-66-0x0000000000000000-mapping.dmp

Download
memory/1756-75-0x0000000000000000-mapping.dmp

Download
memory/1904-74-0x0000000000000000-mapping.dmp

Download
memory/1996-65-0x0000000000000000-mapping.dmp

Download
memory/2004-59-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads