Analysis
-
max time kernel
160s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-09-2021 08:15
Static task
static1
Behavioral task
behavioral1
Sample
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe
Resource
win10v20210408
General
-
Target
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe
-
Size
191KB
-
MD5
435b7f9a16f6846fd263e6641df6f496
-
SHA1
fc45d2718f67ea9b59c7fc30c3d585049f884c12
-
SHA256
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70
-
SHA512
5fa0c155a512ace1f78db1c0af612f06781b4e7e42e6ebb24d074ad1de9d73dbe2b2d4cf4665740241e41fecb22f2f8eeeb74d027a05a60f474f4807fe2160c7
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\AssertLimit.png => C:\Users\Admin\Pictures\AssertLimit.png.MRBNY be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File renamed C:\Users\Admin\Pictures\DismountSelect.crw => C:\Users\Admin\Pictures\DismountSelect.crw.MRBNY be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File renamed C:\Users\Admin\Pictures\InitializeMount.tif => C:\Users\Admin\Pictures\InitializeMount.tif.MRBNY be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ResumeWait.tiff be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File renamed C:\Users\Admin\Pictures\ResumeWait.tiff => C:\Users\Admin\Pictures\ResumeWait.tiff.MRBNY be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File renamed C:\Users\Admin\Pictures\SuspendCompare.raw => C:\Users\Admin\Pictures\SuspendCompare.raw.MRBNY be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 32 IoCs
Processes:
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\root\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_unselected_18.svg be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javafx.properties be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview.svg be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main-selector.css be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\da.pak be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages.properties be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\readme.txt be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exepid process 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2460 vssvc.exe Token: SeRestorePrivilege 2460 vssvc.exe Token: SeAuditPrivilege 2460 vssvc.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe Token: 33 3960 WMIC.exe Token: 34 3960 WMIC.exe Token: 35 3960 WMIC.exe Token: 36 3960 WMIC.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe Token: 33 3960 WMIC.exe Token: 34 3960 WMIC.exe Token: 35 3960 WMIC.exe Token: 36 3960 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 2940 ShellExperienceHost.exe 2940 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.execmd.exedescription pid process target process PID 908 wrote to memory of 3916 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe cmd.exe PID 908 wrote to memory of 3916 908 be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe cmd.exe PID 3916 wrote to memory of 3960 3916 cmd.exe WMIC.exe PID 3916 wrote to memory of 3960 3916 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\be277aea966fd23c28bf2fcbe04959f19fd008dfac3dd0508f747f177f6bed70.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory
PID:272