Resubmissions
23-08-2021 09:03
210823-vqq93xpzhj 1012-08-2021 21:11
210812-xvzjbhw2q2 1008-08-2021 17:49
210808-rjh11mmpt6 10Analysis
-
max time kernel
44s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-08-2021 21:11
Static task
static1
Behavioral task
behavioral1
Sample
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
-
Size
1.2MB
-
MD5
cc3652c078fa2bdfbbfae33335c30bda
-
SHA1
b3d3ad0c2c9d526717f55c431d51c2f1e957325b
-
SHA256
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad
-
SHA512
d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1172 bcdedit.exe 2732 bcdedit.exe -
pid Process 3836 wbadmin.exe 1088 wbadmin.exe -
Drops file in Drivers directory 13 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\networks 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\protocol 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\services 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\networks.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\drivers\etc\services.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\DisableMerge.png.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File renamed C:\Users\Admin\Pictures\ImportDismount.crw => C:\Users\Admin\Pictures\ImportDismount.crw.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Users\Admin\Pictures\ImportDismount.crw.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Users\Admin\Pictures\ImportDismount.crw.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveUnregister.crw => C:\Users\Admin\Pictures\ReceiveUnregister.crw.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File renamed C:\Users\Admin\Pictures\DisableMerge.png => C:\Users\Admin\Pictures\DisableMerge.png.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Users\Admin\Pictures\DisableMerge.png.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Users\Admin\Pictures\ReceiveUnregister.crw.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveUnregister.crw.inprocess => C:\Users\Admin\Pictures\ReceiveUnregister.crw.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Users\Admin\Pictures\ReceiveUnregister.crw.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File renamed C:\Users\Admin\Pictures\DisableMerge.png.inprocess => C:\Users\Admin\Pictures\DisableMerge.png.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File renamed C:\Users\Admin\Pictures\ImportDismount.crw.inprocess => C:\Users\Admin\Pictures\ImportDismount.crw.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe\" e" 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Enumerates connected drives 3 TTPs 41 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\Q: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\V: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\Y: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\D: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\A: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\H: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\M: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\U: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\Z: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\E: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\B: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\F: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\R: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\N: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\S: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\T: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\W: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\I: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\L: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\J: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\O: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\P: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\X: 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\VSMIDK.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\76d91ec2-8d82-44ab-b69b-7b33b0c11cdb.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\VSMIDK 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\38a4f245-c914-4fa9-8b25-ef795f13414a.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\df180ab0-d649-4569-b19a-3c628182808f 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\38349308-c071-4a56-8ebb-0f46b1d60a7f.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\VSMIDK.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\DRIVERS 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\SAM 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\SOFTWARE 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\ELAM.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\76d91ec2-8d82-44ab-b69b-7b33b0c11cdb.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\DEFAULT 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\BCD-Template.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\38349308-c071-4a56-8ebb-0f46b1d60a7f.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\SYSTEM 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\76d91ec2-8d82-44ab-b69b-7b33b0c11cdb 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\SECURITY 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\System32\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Boot\DVD\PCAT\BCD 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Panther\setupinfo.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Panther\setupinfo 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Boot\PCAT\bootnxt 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Resources\Maps\mwconfig_client 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6} 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.gpay 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1576 vssadmin.exe 2128 vssadmin.exe 2824 vssadmin.exe 272 vssadmin.exe 3800 vssadmin.exe 1796 vssadmin.exe 3912 vssadmin.exe 256 vssadmin.exe 1516 vssadmin.exe 3520 vssadmin.exe 3836 vssadmin.exe 3964 vssadmin.exe 644 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1576 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeBackupPrivilege 2348 vssvc.exe Token: SeRestorePrivilege 2348 vssvc.exe Token: SeAuditPrivilege 2348 vssvc.exe Token: SeIncreaseQuotaPrivilege 268 wmic.exe Token: SeSecurityPrivilege 268 wmic.exe Token: SeTakeOwnershipPrivilege 268 wmic.exe Token: SeLoadDriverPrivilege 268 wmic.exe Token: SeSystemProfilePrivilege 268 wmic.exe Token: SeSystemtimePrivilege 268 wmic.exe Token: SeProfSingleProcessPrivilege 268 wmic.exe Token: SeIncBasePriorityPrivilege 268 wmic.exe Token: SeCreatePagefilePrivilege 268 wmic.exe Token: SeBackupPrivilege 268 wmic.exe Token: SeRestorePrivilege 268 wmic.exe Token: SeShutdownPrivilege 268 wmic.exe Token: SeDebugPrivilege 268 wmic.exe Token: SeSystemEnvironmentPrivilege 268 wmic.exe Token: SeRemoteShutdownPrivilege 268 wmic.exe Token: SeUndockPrivilege 268 wmic.exe Token: SeManageVolumePrivilege 268 wmic.exe Token: 33 268 wmic.exe Token: 34 268 wmic.exe Token: 35 268 wmic.exe Token: 36 268 wmic.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3412 wrote to memory of 1516 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 72 PID 3412 wrote to memory of 1516 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 72 PID 3412 wrote to memory of 3520 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 79 PID 3412 wrote to memory of 3520 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 79 PID 3412 wrote to memory of 3836 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 81 PID 3412 wrote to memory of 3836 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 81 PID 3412 wrote to memory of 2128 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 83 PID 3412 wrote to memory of 2128 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 83 PID 3412 wrote to memory of 2824 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 85 PID 3412 wrote to memory of 2824 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 85 PID 3412 wrote to memory of 3964 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 87 PID 3412 wrote to memory of 3964 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 87 PID 3412 wrote to memory of 272 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 89 PID 3412 wrote to memory of 272 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 89 PID 3412 wrote to memory of 3800 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 91 PID 3412 wrote to memory of 3800 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 91 PID 3412 wrote to memory of 1796 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 93 PID 3412 wrote to memory of 1796 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 93 PID 3412 wrote to memory of 644 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 95 PID 3412 wrote to memory of 644 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 95 PID 3412 wrote to memory of 3912 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 97 PID 3412 wrote to memory of 3912 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 97 PID 3412 wrote to memory of 256 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 99 PID 3412 wrote to memory of 256 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 99 PID 3412 wrote to memory of 1576 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 101 PID 3412 wrote to memory of 1576 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 101 PID 3412 wrote to memory of 1172 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 103 PID 3412 wrote to memory of 1172 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 103 PID 3412 wrote to memory of 2732 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 105 PID 3412 wrote to memory of 2732 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 105 PID 3412 wrote to memory of 3836 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 107 PID 3412 wrote to memory of 3836 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 107 PID 3412 wrote to memory of 1088 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 109 PID 3412 wrote to memory of 1088 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 109 PID 3412 wrote to memory of 268 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 111 PID 3412 wrote to memory of 268 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 111 PID 3412 wrote to memory of 3900 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 116 PID 3412 wrote to memory of 3900 3412 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe 116 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe"C:\Users\Admin\AppData\Local\Temp\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3412 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:1516
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:3520
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3836
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2128
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2824
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3964
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:272
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3800
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1796
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:644
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3912
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:256
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1576
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:1172
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2732
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:3836
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1088
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0ABB4A~1.EXE >> NUL2⤵PID:3900
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_LOCK.TXT1⤵
- Opens file in notepad (likely ransom note)
PID:1576