3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a

General

Target

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
Size

186KB
MD5

9deb222bace3387108c25a82d2bea2ea
SHA1

541bd9855a01b2b785534bcac62e331036eaf0db
SHA256

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a
SHA512

74b5e55b80add95ee6390622fcdb7b85f42f74b7dba1596c5c76e35e30c703765a7765b11ce4c8e84ba2383aa304b2ef95bcad70208f44ac88440d05a579a0bb

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SelectExport.crw => C:\Users\Admin\Pictures\SelectExport.crw.QMIBK	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SkipStop.raw => C:\Users\Admin\Pictures\SkipStop.raw.QMIBK	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

Drops startup file 1 IoCs

Processes:

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 32 IoCs

Processes:

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview-hover.svg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons.png	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkNoDrop32x32.gif	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_empty_state.svg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text.cur	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\R3ADM3.txt	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\es-419_get.svg	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exesvchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe
File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

pid	process
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: 36	828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: 36	828	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ShellExperienceHost.exe

pid process

652 ShellExperienceHost.exe
652 ShellExperienceHost.exe

pid	process
652	ShellExperienceHost.exe
652	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 556	1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe	cmd.exe
PID 1832 wrote to memory of 556	1832	3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe	cmd.exe
PID 556 wrote to memory of 828	556	cmd.exe	WMIC.exe
PID 556 wrote to memory of 828	556	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\3443a0e087a535d5df169dd94b0c0f084d8ae97cff6c79becda3c6659837df9a.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3924

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-114-0x0000000000000000-mapping.dmp

Download
memory/828-115-0x0000000000000000-mapping.dmp

Download
memory/3236-117-0x0000024683FA0000-0x0000024683FB0000-memory.dmp

Filesize
64KB

Download
memory/3236-116-0x0000024683BF0000-0x0000024683C00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads