Analysis
-
max time kernel
73s -
max time network
66s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
21/11/2021, 13:12
Static task
static1
Behavioral task
behavioral1
Sample
7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe
-
Size
13KB
-
MD5
d109e80eff2ed00ee76147306057b78e
-
SHA1
ebdcaa6e32ae696725158482e0a7480d4c8433e5
-
SHA256
7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42
-
SHA512
23ef87e942a02f9347b07044a3fa291558b425c57c6bc66f14a367fcd89f61617785da560e175d8a225398189a37745295e199d93d3ead75118ebee792e3dada
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\Microsoft Office\Updates\Apply\#File.decrypt#.txt
Ransom Note
Hello my dear friend
Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted
If you want to restore them, write your ID to us
e-mail1: [email protected]
e-mail2: [email protected]
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
We are always ready to cooperate and find the best way to solve your problem.
The faster you write, the more favorable the conditions will be for you.
Our company values its reputation. We give all guarantees of your files decryption
IF WE DONT SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET
tell your unique ID
nUzaY3n0IKHhTNhf/bOnb+NqPmiNW9h7m/71UzGse+NtuUmULUz5N1LoalUOVyDt2MJh/Ydk4brrHX7N/DlS1ydy3PIvZwrXn3G48wfTFN1GRU/0aHrP55eNbFeCyiw3vZv/eQzYJaVHDH9ivzavko7pwcLv02lXIfL9PVNZNxmAupLFSB+n3mngMHMcH6Wjg/LIRxgUqMNc3rHPhQ7vZhLusuIQRbe7mxXUK/nadntuarbCvw7w6rODlUR6sOmJseTJOiejDvdvHd2det3/A17nvG1vLVQR3rS98slMCEvL+lLdskagcp03Xqt03KZ05kE6bHfJFY2FELFLdos0az8kxUmY7cOmmdNu0dA9Lvr3t8Go6mLlVDbQaLrZhg//Fz6+so0JUmQRVdQHoca7BdrT1OXkRtx7yc/2cr8cYG98Xar7k8Jl8WC0kgvRXypMSxMuEo2mnmOgFttAdphVZQq7bFg46ueqjg2QhKApNkKr1pHhrSGVdWCemqClM4/fJzg3cd3mf5aScovzx7A4tirFqxbHq6fAxCoSPouUQPkqZYg+pNclgn1J5qxDDlSfI2V5TmFNA3O06PR5chxwRWthLDD17+7Iv1Jw6ESd9N9jAeYmniVn1NX9+2z8Gly4QWmdMNq4h0UE+fJM33TCNawzcDOGLgWqpmoa7sjijjfQh1RP6T4kdMvc9+zOg8LU6b7/J6yDK7s+vhp+NGWnJbLiz1/xXNTmoRa0i1m6ywJdWzY9dsUyPMaX9xurS7zpoRMD2zeKD5qjLnO1NDbxMQ5aAbryawO2EjJkVOcgF6DalP6eXh4JQXMTwZcqb9JgnNGS120DE9DkpQ2hfcWA8KI/rQidQ6QOgq5vcb/yFf32W28f6RSBxxg811XOhQ33pDNKd4Q4hgMfb+LOmXCNxEFuyZqDVdxzXbBth7dCH4y3l4iyptDhDgB3DFAhuWtvQSXkUTLDCvf1JKbyekdxNXmsS7Uf1FzdpkmZv9+MwUIi6FRuU+2rTO9ryEvYaCPhrOU7uafGc59z2vVFVodiYqUpwV9NSYzLTVy3yDiPKMP4up/i/QKubGvLumB0vPVygSOhMeVvv3q+wK0APe1Nb0/vkd7XhgtsXv0LeRr3VMohZ+0DuLf6HHWwi/n4ZrtP+D/r1OpySb+yMbvxSHwHq0J1dAvQGi2e4LhABQ1cy8qQjd7GxIqGYyxBIDWl3fav9QNH6MTtr7GZvD2HMfnS7uUqKvaGBa2R8ll8FoH3zZXAsxlF+m8+bpdGguRbKbciQNGXOs8KKH1vC7Qr5Xp2idyRZ475rL9FeAfn+19P1YU3o/23z+3TKExMAxc3WbVakXCIQn7wd3uJQc16jl7ckw==
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SendCopy.tiff => C:\Users\Admin\Pictures\SendCopy.tiff.file.decrypt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File renamed C:\Users\Admin\Pictures\MergeBlock.crw => C:\Users\Admin\Pictures\MergeBlock.crw.file.decrypt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Pictures\ExpandSearch.tiff 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File renamed C:\Users\Admin\Pictures\ExpandSearch.tiff => C:\Users\Admin\Pictures\ExpandSearch.tiff.file.decrypt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File renamed C:\Users\Admin\Pictures\AddSend.png => C:\Users\Admin\Pictures\AddSend.png.file.decrypt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Pictures\SendCopy.tiff 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
description ioc Process File opened for modification C:\Users\Public\Documents\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Links\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\Music\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Music\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\Videos\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\selector.js 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp120.dll 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-80.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-125.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeTile.scale-125.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_40x40x32.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-200.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-200.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36_altform-unplated.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObject.fx 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\ProjectionPlanar.scale-140.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-256.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Fonts\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-200.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe81b.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-48.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\12c.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\msvcr100.dll 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\. 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ci_16x11.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\MS.Entertainment.Common\Resources\Fonts\SegMVR2.ttf 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-125.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Classic_Speed_Run_.png 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File created C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\contrast-black\#File.decrypt#.txt 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe File opened for modification C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3508 vssvc.exe Token: SeRestorePrivilege 3508 vssvc.exe Token: SeAuditPrivilege 3508 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3164 wrote to memory of 3760 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 68 PID 3164 wrote to memory of 3760 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 68 PID 3164 wrote to memory of 1192 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 72 PID 3164 wrote to memory of 1192 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 72 PID 3164 wrote to memory of 1192 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 72 PID 3164 wrote to memory of 2068 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 74 PID 3164 wrote to memory of 2068 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 74 PID 3164 wrote to memory of 2068 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 74 PID 3164 wrote to memory of 1692 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 76 PID 3164 wrote to memory of 1692 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 76 PID 3164 wrote to memory of 1692 3164 7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe"C:\Users\Admin\AppData\Local\Temp\7c1f5cf8f242dfbd920180d8423777a4e540c37c09d787d4674b259bdbe0dc42.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\System32\vssadmin.exedelete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:1192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" bcdedit /set {current} recoveryenabled no2⤵PID:2068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" netsh advfirewall set allprofiles state off2⤵PID:1692
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508