Analysis
-
max time kernel
286s -
max time network
288s -
platform
windows10_x64 -
resource
win10-en -
submitted
17-09-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe
Resource
win7-en-20210916
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe
-
Size
53KB
-
MD5
844bc3ea23be83905a02980a57879af2
-
SHA1
b8bab791e68200d11ec4ee6a2824f6d281287b85
-
SHA256
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da
-
SHA512
38221a55bf4f50a99bd4840cbc50f1468408e4fbf48a3510cc8a1c7147aa77f109d04f86f7053d20547df24d6652ccfb9827629f22d94a78e7fdfa0039d35b05
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exedescription ioc Process File renamed C:\Users\Admin\Pictures\UnlockSearch.raw => C:\Users\Admin\Pictures\UnlockSearch.raw.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\ConvertFromMount.tiff => C:\Users\Admin\Pictures\ConvertFromMount.tiff.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\RedoUpdate.crw => C:\Users\Admin\Pictures\RedoUpdate.crw.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\SetResolve.png => C:\Users\Admin\Pictures\SetResolve.png.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\ReceiveExport.crw => C:\Users\Admin\Pictures\ReceiveExport.crw.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\RequestDismount.raw => C:\Users\Admin\Pictures\RequestDismount.raw.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\ResumeFormat.png => C:\Users\Admin\Pictures\ResumeFormat.png.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromMount.tiff 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Pictures\GetDeny.tiff 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File renamed C:\Users\Admin\Pictures\GetDeny.tiff => C:\Users\Admin\Pictures\GetDeny.tiff.lockis 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
Processes:
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exedescription ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Videos\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Music\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2559286294-2439613352-4032193287-1000\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Music\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\Documents\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exedescription ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\MedTile.scale-200.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.smile.scale-200.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\glass.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\Common\DebugOverlay.xaml 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation2x.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\LargeTile.scale-200.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Solve\autosolve_button_over.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_32x32x32.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_48x48x32.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\how_to_back_files.html 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-200.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\AppxManifest.xml 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\Emboss.scale-140.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\how_to_back_files.html 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\how_to_back_files.html 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\TextEntityExtractorProxy.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cat.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\how_to_back_files.html 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\8-Point Star.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-colorize.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-125.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\msvcp140_1.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-256.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\how_to_back_files.html 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ms.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Cloud.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48_altform-unplated.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Microsoft.Entertainment.winmd 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LobbyTiles\Pyramid_bp_809.jpg 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Ice_Castle_Unearned_small.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ja_135x40.svg 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\how_to_back_files.html 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-100.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerFrame.fx 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exedescription pid Process procid_target PID 4528 wrote to memory of 4068 4528 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe 77 PID 4528 wrote to memory of 4068 4528 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe 77 PID 4528 wrote to memory of 4068 4528 5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe"C:\Users\Admin\AppData\Local\Temp\5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5086511712357c72400c4eb50cb9c84818174ec82fcda8e682aed5738d9b17da.exe > nul2⤵PID:4068
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ee5739ac854c1545e1b76f749f908bf8
SHA1f638b048bc4e6522549881aa96ddf98fe5952fa4
SHA25664f9e109ea4b21106f72fb3d9e4264e70c85a3c2a7d373c37a4679845c5c3f7e
SHA512533568e55561bac4c268407b32619b7e6013ca5ed2dded4e9a26ee48c5ec9b69066572d6a319e84c9eb9f5581559db56afe7fa65ab8236fa50d93ed317b0f33a