B06.exe

General
Target

B06.exe

Filesize

4MB

Completed

04-10-2021 11:03

Score
10/10
MD5

49fb0e5a3415155c24d6839250cd7fed

SHA1

69fa4c797df21b98740368c268cfd1919bf4a6e0

SHA256

f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf

Malware Config
Signatures 26

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
  • MedusaLocker

    Description

    Ransomware with several variants first seen in September 2019.

  • MedusaLocker Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1272-53-0x000000013FE00000-0x0000000140678000-memory.dmpfamily_medusalocker
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies boot configuration data using bcdedit
    bcdedit.exebcdedit.exe

    TTPs

    Inhibit System Recovery

    Reported IOCs

    pidprocess
    1348bcdedit.exe
    1592bcdedit.exe
  • Deletes System State backups
    wbadmin.exewbadmin.exe

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line InterfaceFile DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1828wbadmin.exe
    1244wbadmin.exe
  • Drops file in Drivers directory
    B06.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\networksB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\protocolB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\protocol.inprocessB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\protocol.udachaB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\servicesB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hostsB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hosts.inprocessB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hosts.udachaB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\services.inprocessB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\services.udachaB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\networks.inprocessB06.exe
    File opened for modificationC:\Windows\System32\drivers\etc\networks.udachaB06.exe
  • Modifies extensions of user files
    B06.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\ExportBlock.png => C:\Users\Admin\Pictures\ExportBlock.png.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\ShowOpen.png.inprocess => C:\Users\Admin\Pictures\ShowOpen.png.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\ExportBlock.png.inprocess => C:\Users\Admin\Pictures\ExportBlock.png.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\RestartSave.tiff.inprocess => C:\Users\Admin\Pictures\RestartSave.tiff.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\StartLock.png => C:\Users\Admin\Pictures\StartLock.png.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\UndoOpen.png => C:\Users\Admin\Pictures\UndoOpen.png.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\UndoOpen.png.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\UnlockBlock.raw => C:\Users\Admin\Pictures\UnlockBlock.raw.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\ShowOpen.png.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\StartLock.png.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\UndoOpen.png.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\JoinOut.tif.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\RestartSave.tiff => C:\Users\Admin\Pictures\RestartSave.tiff.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\StartLock.png.inprocess => C:\Users\Admin\Pictures\StartLock.png.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\UndoOpen.png.inprocess => C:\Users\Admin\Pictures\UndoOpen.png.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\UnlockBlock.raw.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\ExitSplit.raw.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\ExitSplit.raw.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\RestartSave.tiff.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\RestartSave.tiff.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\ExportBlock.png.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\JoinOut.tif.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\JoinOut.tif.inprocess => C:\Users\Admin\Pictures\JoinOut.tif.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\PopMerge.png.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\PopMerge.png.inprocess => C:\Users\Admin\Pictures\PopMerge.png.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\PopMerge.png.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\ShowOpen.png.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\ExitSplit.raw => C:\Users\Admin\Pictures\ExitSplit.raw.inprocessB06.exe
    File opened for modificationC:\Users\Admin\Pictures\ExportBlock.png.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\PopMerge.png => C:\Users\Admin\Pictures\PopMerge.png.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\ShowOpen.png => C:\Users\Admin\Pictures\ShowOpen.png.inprocessB06.exe
    File renamedC:\Users\Admin\Pictures\UnlockBlock.raw.inprocess => C:\Users\Admin\Pictures\UnlockBlock.raw.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\UnlockBlock.raw.udachaB06.exe
    File renamedC:\Users\Admin\Pictures\ExitSplit.raw.inprocess => C:\Users\Admin\Pictures\ExitSplit.raw.udachaB06.exe
    File opened for modificationC:\Users\Admin\Pictures\RestartSave.tiffB06.exe
    File opened for modificationC:\Users\Admin\Pictures\StartLock.png.inprocessB06.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1244cmd.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    B06.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B06.exe\" e"B06.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunB06.exe
  • Drops desktop.ini file(s)
    B06.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\E:\$RECYCLE.BIN\S-1-5-21-3456797065-1076791440-4146276586-1000\desktop.iniB06.exe
  • Enumerates connected drives
    B06.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\X:B06.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\A:B06.exe
    File opened (read-only)\??\L:B06.exe
    File opened (read-only)\??\M:B06.exe
    File opened (read-only)\??\U:B06.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\K:B06.exe
    File opened (read-only)\??\Q:B06.exe
    File opened (read-only)\??\V:B06.exe
    File opened (read-only)\??\W:B06.exe
    File opened (read-only)\??\G:B06.exe
    File opened (read-only)\??\J:B06.exe
    File opened (read-only)\??\P:B06.exe
    File opened (read-only)\??\Y:B06.exe
    File opened (read-only)\??\E:B06.exe
    File opened (read-only)\??\F:B06.exe
    File opened (read-only)\??\T:B06.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\H:B06.exe
    File opened (read-only)\??\N:B06.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\O:B06.exe
    File opened (read-only)\??\R:B06.exe
    File opened (read-only)\??\S:B06.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\D:B06.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\B:B06.exe
    File opened (read-only)\??\I:B06.exe
    File opened (read-only)\??\Z:B06.exe
  • Drops file in System32 directory
    B06.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015B06.exe
    File opened for modificationC:\Windows\System32\config\SOFTWAREB06.exe
    File opened for modificationC:\Windows\System32\config\RegBack\SYSTEMB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\PreferredB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8dB06.exe
    File opened for modificationC:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitorB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udachaB06.exe
    File opened for modificationC:\Windows\System32\config\RegBack\DEFAULTB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01cB06.exe
    File opened for modificationC:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.udachaB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9B06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.udachaB06.exe
    File opened for modificationC:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7B06.exe
    File opened for modificationC:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocessB06.exe
    File opened for modificationC:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\a18fb1e2-27ff-4f92-867e-e632da9f3bd1.udachaB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\COMPONENTSB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\PreferredB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udachaB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\RegBack\SAMB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015B06.exe
    File opened for modificationC:\Windows\System32\config\SAMB06.exe
    File opened for modificationC:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocessB06.exe
    File opened for modificationC:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocessB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9B06.exe
    File opened for modificationC:\Windows\System32\config\COMPONENTS.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035B06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5faB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udachaB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\BCD-Template.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015B06.exe
    File opened for modificationC:\Windows\System32\config\RegBack\SECURITYB06.exe
    File opened for modificationC:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocessB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa.udachaB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udachaB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9B06.exe
    File opened for modificationC:\Windows\System32\config\BCD-Template.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\SECURITYB06.exe
    File opened for modificationC:\Windows\System32\config\SYSTEMB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\a18fb1e2-27ff-4f92-867e-e632da9f3bd1B06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocessB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocessB06.exe
    File opened for modificationC:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdbB06.exe
    File opened for modificationC:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdbB06.exe
    File opened for modificationC:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocessB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fdB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd.udachaB06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\COMPONENTS.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\DEFAULTB06.exe
    File opened for modificationC:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocessB06.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9B06.exe
    File opened for modificationC:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocessB06.exe
    File opened for modificationC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015B06.exe
  • Drops file in Program Files directory
    B06.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Montevideo.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Argentina\CordobaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\tzmappings.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Inuvik.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\LuxembourgB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\CaymanB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Halifax.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Paramaribo.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\TiraneB06.exe
    File opened for modificationC:\Program Files\Java\jre7\LICENSE.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\EST5EDT.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Goose_BayB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Dili.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\WarsawB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\ZurichB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\AraguainaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Australia\CurrieB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\SamarkandB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Porto_VelhoB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\TallinnB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Rio_BrancoB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\CayenneB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Indian\ChagosB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\New_YorkB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\KiritimatiB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\AntiguaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\GMT+6B06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\SystemV\MST7.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Indiana\VevayB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\security\cacerts.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\DhakaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\HovdB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\MonctonB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Australia\Sydney.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\GMT-9B06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Panama.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Manila.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\UCT.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Beirut.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\MagadanB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\EfateB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.inprocessB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Manila.udachaB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\GambierB06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\SystemV\HST10B06.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.inprocessB06.exe
  • Drops file in Windows directory
    wbadmin.exeB06.exewbadmin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Logs\WindowsBackup\Wbadmin.1.etlwbadmin.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\1cb2B06.exe
    File opened for modificationC:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocessB06.exe
    File opened for modificationC:\Windows\Logs\WindowsBackup\Wbadmin.1.etlwbadmin.exe
    File opened for modificationC:\Windows\Panther\setupinfoB06.exe
    File opened for modificationC:\Windows\Boot\DVD\PCAT\BCDB06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\absthr_0B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\absthr_2B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\alloc_3B06.exe
    File opened for modificationC:\Windows\Boot\PCAT\bootmgrB06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\2cb0B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\2th1B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\dewindowB06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\1th1B06.exe
    File opened for modificationC:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\stateB06.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.udachaB06.exe
    File opened for modificationC:\Windows\Panther\setupinfo.udachaB06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\1cb1B06.exe
    File opened for modificationC:\Windows\Logs\WindowsBackup\Wbadmin.3.etlwbadmin.exe
    File opened for modificationC:\Windows\Logs\WindowsBackup\Wbadmin.3.etlwbadmin.exe
    File opened for modificationC:\Windows\Logs\WindowsBackup\Wbadmin.2.etlwbadmin.exe
    File opened for modificationC:\Windows\Boot\DVD\EFI\BCDB06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\1cb0B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\2cb1B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\alloc_0B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\alloc_1B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\alloc_2B06.exe
    File opened for modificationC:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.udachaB06.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocessB06.exe
    File opened for modificationC:\Windows\Logs\WindowsBackup\Wbadmin.2.etlwbadmin.exe
    File opened for modificationC:\Windows\Panther\setupinfo.inprocessB06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\1th2B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\2cb2B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\2th0B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\2th2B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\enwindowB06.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.udachaB06.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\1th0B06.exe
    File opened for modificationC:\Windows\ehome\CreateDisc\Components\tables\absthr_1B06.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357B06.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocessB06.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    976vssadmin.exe
    1540vssadmin.exe
    1716vssadmin.exe
    1632vssadmin.exe
    1888vssadmin.exe
    1116vssadmin.exe
    1532vssadmin.exe
    1820vssadmin.exe
    772vssadmin.exe
    1644vssadmin.exe
    1664vssadmin.exe
    1556vssadmin.exe
    236vssadmin.exe
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822253614caeec4e88425137194fa7ab0000000002000000000010660000000100002000000074544fdfd030a326619cbae550f7cf28e6adb1e20d3b81b7737a2481ff17c8dc000000000e8000000002000020000000d48ce8d62b33b50ef8c75b708e6b753c2b4e524af066e154865360013398fb0990000000c9b713b279d234e7ba402e93c172d41c64603bd6c54ddbd3e51ac632dd9239269cbdd27c2c311d3f2bee8c5ef42ae12a0bac1bcb118e31da598250652b9e826c8fcd4c861434f2d81a95820148e8d7f37ede49bc0186dd3586913cd095b844528b9f89453594901b2b047d654564ff17b222376ce3495ddb21608fca74686a4e4d0b75fb2a2bd6ef72a11fcfd2a5380f4000000050cec96af73782ea724797b762a3f4fe5884825363cb5e2ed9c67c378d99e64b659175548720edc91d644b1e6ddcf86b45597a111c3c7611b38778ad99182f23iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A5234F1-2502-11EC-826A-5A38D35B81CE} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822253614caeec4e88425137194fa7ab0000000002000000000010660000000100002000000056279a8e2b91acccb12bbfb89c2c1485337c7c5f024a92b318908828f718c84a000000000e800000000200002000000053d477213be839f1e35c2d7b493a85ba8f8601ab8a61b06c5a9411abe3a3c39f20000000555cfc87c16eb12b6b5898499382d1480a1b3ea10914dd324143ea2f1cb4f699400000003995c94839f760b2975e5132fac52b2ebe8941a59a2a4852db506bf199da695843c90d02f9e07c8a5e998ad51ff8efc4f4929999c4c7ca2b37aa7f7d465b39adiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIEiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d045e8320fb9d701iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6BD210B1-2502-11EC-826A-5A38D35B81CE} = "0"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIEiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
  • Modifies registry class
    rundll32.exerundll32.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settingsrundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settingsrundll32.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1372NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    B06.exe

    Reported IOCs

    pidprocess
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
    1272B06.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exewmic.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege548vssvc.exe
    Token: SeRestorePrivilege548vssvc.exe
    Token: SeAuditPrivilege548vssvc.exe
    Token: SeIncreaseQuotaPrivilege632wmic.exe
    Token: SeSecurityPrivilege632wmic.exe
    Token: SeTakeOwnershipPrivilege632wmic.exe
    Token: SeLoadDriverPrivilege632wmic.exe
    Token: SeSystemProfilePrivilege632wmic.exe
    Token: SeSystemtimePrivilege632wmic.exe
    Token: SeProfSingleProcessPrivilege632wmic.exe
    Token: SeIncBasePriorityPrivilege632wmic.exe
    Token: SeCreatePagefilePrivilege632wmic.exe
    Token: SeBackupPrivilege632wmic.exe
    Token: SeRestorePrivilege632wmic.exe
    Token: SeShutdownPrivilege632wmic.exe
    Token: SeDebugPrivilege632wmic.exe
    Token: SeSystemEnvironmentPrivilege632wmic.exe
    Token: SeRemoteShutdownPrivilege632wmic.exe
    Token: SeUndockPrivilege632wmic.exe
    Token: SeManageVolumePrivilege632wmic.exe
    Token: 33632wmic.exe
    Token: 34632wmic.exe
    Token: 35632wmic.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exeiexplore.exe

    Reported IOCs

    pidprocess
    1608iexplore.exe
    1840iexplore.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    1608iexplore.exe
    1608iexplore.exe
    220IEXPLORE.EXE
    220IEXPLORE.EXE
    220IEXPLORE.EXE
    220IEXPLORE.EXE
    1840iexplore.exe
    1840iexplore.exe
    1604IEXPLORE.EXE
    1604IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    B06.exeiexplore.exeiexplore.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1272 wrote to memory of 9761272B06.exevssadmin.exe
    PID 1272 wrote to memory of 9761272B06.exevssadmin.exe
    PID 1272 wrote to memory of 9761272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15401272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15401272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15401272B06.exevssadmin.exe
    PID 1272 wrote to memory of 18201272B06.exevssadmin.exe
    PID 1272 wrote to memory of 18201272B06.exevssadmin.exe
    PID 1272 wrote to memory of 18201272B06.exevssadmin.exe
    PID 1272 wrote to memory of 7721272B06.exevssadmin.exe
    PID 1272 wrote to memory of 7721272B06.exevssadmin.exe
    PID 1272 wrote to memory of 7721272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16441272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16441272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16441272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16641272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16641272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16641272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15561272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15561272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15561272B06.exevssadmin.exe
    PID 1272 wrote to memory of 18881272B06.exevssadmin.exe
    PID 1272 wrote to memory of 18881272B06.exevssadmin.exe
    PID 1272 wrote to memory of 18881272B06.exevssadmin.exe
    PID 1272 wrote to memory of 17161272B06.exevssadmin.exe
    PID 1272 wrote to memory of 17161272B06.exevssadmin.exe
    PID 1272 wrote to memory of 17161272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16321272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16321272B06.exevssadmin.exe
    PID 1272 wrote to memory of 16321272B06.exevssadmin.exe
    PID 1272 wrote to memory of 11161272B06.exevssadmin.exe
    PID 1272 wrote to memory of 11161272B06.exevssadmin.exe
    PID 1272 wrote to memory of 11161272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15321272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15321272B06.exevssadmin.exe
    PID 1272 wrote to memory of 15321272B06.exevssadmin.exe
    PID 1272 wrote to memory of 2361272B06.exevssadmin.exe
    PID 1272 wrote to memory of 2361272B06.exevssadmin.exe
    PID 1272 wrote to memory of 2361272B06.exevssadmin.exe
    PID 1272 wrote to memory of 13481272B06.exebcdedit.exe
    PID 1272 wrote to memory of 13481272B06.exebcdedit.exe
    PID 1272 wrote to memory of 13481272B06.exebcdedit.exe
    PID 1272 wrote to memory of 15921272B06.exebcdedit.exe
    PID 1272 wrote to memory of 15921272B06.exebcdedit.exe
    PID 1272 wrote to memory of 15921272B06.exebcdedit.exe
    PID 1272 wrote to memory of 18281272B06.exewbadmin.exe
    PID 1272 wrote to memory of 18281272B06.exewbadmin.exe
    PID 1272 wrote to memory of 18281272B06.exewbadmin.exe
    PID 1272 wrote to memory of 12441272B06.exewbadmin.exe
    PID 1272 wrote to memory of 12441272B06.exewbadmin.exe
    PID 1272 wrote to memory of 12441272B06.exewbadmin.exe
    PID 1272 wrote to memory of 6321272B06.exewmic.exe
    PID 1272 wrote to memory of 6321272B06.exewmic.exe
    PID 1272 wrote to memory of 6321272B06.exewmic.exe
    PID 1608 wrote to memory of 2201608iexplore.exeIEXPLORE.EXE
    PID 1608 wrote to memory of 2201608iexplore.exeIEXPLORE.EXE
    PID 1608 wrote to memory of 2201608iexplore.exeIEXPLORE.EXE
    PID 1608 wrote to memory of 2201608iexplore.exeIEXPLORE.EXE
    PID 1272 wrote to memory of 12441272B06.execmd.exe
    PID 1272 wrote to memory of 12441272B06.execmd.exe
    PID 1272 wrote to memory of 12441272B06.execmd.exe
    PID 1840 wrote to memory of 16041840iexplore.exeIEXPLORE.EXE
    PID 1840 wrote to memory of 16041840iexplore.exeIEXPLORE.EXE
    PID 1840 wrote to memory of 16041840iexplore.exeIEXPLORE.EXE
  • System policy modification
    B06.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"B06.exe
Processes 28
  • C:\Users\Admin\AppData\Local\Temp\B06.exe
    "C:\Users\Admin\AppData\Local\Temp\B06.exe"
    Drops file in Drivers directory
    Modifies extensions of user files
    Adds Run key to start application
    Drops desktop.ini file(s)
    Enumerates connected drives
    Drops file in System32 directory
    Drops file in Program Files directory
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1272
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      Interacts with shadow copies
      PID:976
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      Interacts with shadow copies
      PID:1540
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      Enumerates connected drives
      Interacts with shadow copies
      PID:1820
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      Enumerates connected drives
      Interacts with shadow copies
      PID:772
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      Enumerates connected drives
      Interacts with shadow copies
      PID:1644
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      Enumerates connected drives
      Interacts with shadow copies
      PID:1664
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      Enumerates connected drives
      Interacts with shadow copies
      PID:1556
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      Enumerates connected drives
      Interacts with shadow copies
      PID:1888
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      Enumerates connected drives
      Interacts with shadow copies
      PID:1716
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      Enumerates connected drives
      Interacts with shadow copies
      PID:1632
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      Enumerates connected drives
      Interacts with shadow copies
      PID:1116
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      Enumerates connected drives
      Interacts with shadow copies
      PID:1532
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      Interacts with shadow copies
      PID:236
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      Modifies boot configuration data using bcdedit
      PID:1348
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      Modifies boot configuration data using bcdedit
      PID:1592
    • C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      Deletes System State backups
      Drops file in Windows directory
      PID:1828
    • C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      Deletes System State backups
      Drops file in Windows directory
      PID:1244
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL
      Deletes itself
      PID:1244
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:548
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:220
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1604
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UseMount.mpeg.udacha
    Modifies registry class
    PID:436
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UseMount.mpeg.udacha
      Opens file in notepad (likely ransom note)
      PID:1372
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Music\HideTest.bmp.udacha
    Modifies registry class
    PID:1840
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Initial Access
        Lateral Movement
          Privilege Escalation
            Replay Monitor
            00:00 00:00
            Downloads
            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A5234F1-2502-11EC-826A-5A38D35B81CE}.dat

              MD5

              6ab9527553980003b077e5de90836b95

              SHA1

              cf0038e0bee18fbc1951e4c583d611c01ad72024

              SHA256

              45260f947ac3d6b2071264e0a78913f7f7205d8c00f1b7b8bd386c590e9d203c

              SHA512

              c8f95cd9b27d29ce44a673ec8ee66ef2107088b1346cb4213539f1418c267fa0b056720f2e28e239fe75fdd562e959cb471821953db6a11d7c5c5a0d8af62455

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{69D70280-1A16-11EC-9C67-C222D480BBA6}.dat

              MD5

              70c1baae4b60c0b4f93be993dd319c3c

              SHA1

              f8eea14d9fb3d33ff7d973d4de54a782ebb41d14

              SHA256

              f1ee70b65c0d4ddeba97363f042436ab016070f649945d1fbf06bb1187424d98

              SHA512

              d3e8b1c5ab578a22b26a17e9faccc2a65c93deece090880f3ccb1658c031b807f3e31d50295537499e7352a7d023a99aef454ad958667bf8a88e375a656917c7

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{61EFBB11-2502-11EC-826A-5A38D35B81CE}.dat

              MD5

              41334ba84202a3ec6f94df41dc687fd2

              SHA1

              447ef04ab707f17e0cdff9b06a9c58cc4ea1c64e

              SHA256

              b94612d984bb2a5a36eb6e0a1905b78ff8a6517f0d1d850d12800b3c5218228d

              SHA512

              333c9a27381aa4227a95d916963e32923b763ee1ba2824bf7a5cb637dd3a28afac665f6888a61817ae8d74215992d18b838093a7c80cc97b2876d8b98a8493d2

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat

              MD5

              fda3094d71751a2b5a95277c398c934c

              SHA1

              11411a51cf7a88a280c4bbf6f57409a5c34b562d

              SHA256

              823bd3b3c732fb00af405eb50231d3e26e0024cebb7dbc0d4732d8f74625a6e0

              SHA512

              a7cd53baffb78efa1a86d35fa9b292ed7e75cdef23d6ac84634055657311fc5c96054a9199076567281ccd36fc8374224cefc9316fea35c3aa6153b78e9e31c3

            • C:\Users\Admin\Desktop\ReadMe_Instruction.mht

              MD5

              f6d3a1509576138c7083e35bedd31032

              SHA1

              0bfa0ea13c73a5f1aacf722c7de3ca21352ce2ce

              SHA256

              1ec791f31fe01e688ba0e3f4d0ddc0eeed5d90fec9f3835732afce4c93b5e5f2

              SHA512

              5184bfda955c27d5a8e07fd6c4044219e52d6225afac291c63680d3a094af94878289ee2f19c52392dc0dccd72224525ed8fe99258695ec555d7e936d6dec307

            • C:\Users\Admin\Desktop\UseMount.mpeg.udacha

              MD5

              73120867ccc9985201253a7c453f1a04

              SHA1

              4f9f3a0da4497765164f7840f3030b76771d8169

              SHA256

              fa03ee78cc03a1b3151f4062b3c9405b5a3fafafcd807d2c2c0272dc49ff30c9

              SHA512

              9646b1b5f09ffe35efee964fbe44014d0f27e15a8d2760990fbc543ff007c69a385b56c1e966c007cddcf30a21fd32cfd7226130001b19d25f4b6633f2e0a68e

            • \??\PIPE\srvsvc

              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            • memory/220-74-0x0000000000000000-mapping.dmp

            • memory/236-66-0x0000000000000000-mapping.dmp

            • memory/632-73-0x0000000000000000-mapping.dmp

            • memory/772-57-0x0000000000000000-mapping.dmp

            • memory/976-54-0x0000000000000000-mapping.dmp

            • memory/1116-64-0x0000000000000000-mapping.dmp

            • memory/1244-76-0x0000000000000000-mapping.dmp

            • memory/1244-71-0x0000000000000000-mapping.dmp

            • memory/1272-53-0x000000013FE00000-0x0000000140678000-memory.dmp

            • memory/1348-67-0x0000000000000000-mapping.dmp

            • memory/1372-85-0x0000000000000000-mapping.dmp

            • memory/1532-65-0x0000000000000000-mapping.dmp

            • memory/1540-55-0x0000000000000000-mapping.dmp

            • memory/1556-60-0x0000000000000000-mapping.dmp

            • memory/1592-68-0x0000000000000000-mapping.dmp

            • memory/1604-78-0x0000000000000000-mapping.dmp

            • memory/1604-79-0x0000000075331000-0x0000000075333000-memory.dmp

            • memory/1632-63-0x0000000000000000-mapping.dmp

            • memory/1644-58-0x0000000000000000-mapping.dmp

            • memory/1664-59-0x0000000000000000-mapping.dmp

            • memory/1716-62-0x0000000000000000-mapping.dmp

            • memory/1820-56-0x0000000000000000-mapping.dmp

            • memory/1828-70-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

            • memory/1828-69-0x0000000000000000-mapping.dmp

            • memory/1888-61-0x0000000000000000-mapping.dmp