targetcompany | e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b

General

Target

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
Size

128KB
MD5

99e949ddd57dbc19457eba5f235516f3
SHA1

99f9270e85ec53b8dada459279d30e8b169462c1
SHA256

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b
SHA512

4b4746c6d23be8d445876e5e6931d48ebbac8eca6c4ad545b6dc94c400f768df87ad03984c1c83a7e7d0225fd8cdd6305e4f7ef4d580378b42424288def7fa41

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\How to decrypt files.txt

Family

targetcompany

Ransom Note

Your personal identifier: BRD454A21JS All files on BRG Precision Products network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition, we downloaded about 100 gb of data from your network. We will publish the data if you do not negotiate with us. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �

URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2212 bcdedit.exe
2852 bcdedit.exe

pid	process
2212	bcdedit.exe
2852	bcdedit.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExpandSearch.tiff => C:\Users\Admin\Pictures\ExpandSearch.tiff.brg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File renamed	C:\Users\Admin\Pictures\AddSend.png => C:\Users\Admin\Pictures\AddSend.png.brg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Users\Admin\Pictures\SendCopy.tiff	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File renamed	C:\Users\Admin\Pictures\SendCopy.tiff => C:\Users\Admin\Pictures\SendCopy.tiff.brg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File renamed	C:\Users\Admin\Pictures\MergeBlock.crw => C:\Users\Admin\Pictures\MergeBlock.crw.brg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandSearch.tiff	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

description	ioc	process
File opened (read-only)	\??\J:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\M:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\T:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\U:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\X:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\Z:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\A:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\H:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\K:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\L:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\O:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\Y:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\B:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\P:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\S:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\E:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\F:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\G:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\I:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\N:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\Q:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\R:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\V:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened (read-only)	\??\W:	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

Drops file in Program Files directory 64 IoCs

Processes:

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\ReceiveSend.fon	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_unselected_18.svg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\EnterRequest.gif	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main-selector.css	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\FillnSign_visual.svg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\PlayStore_icon.svg	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxk	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\How to decrypt files.txt	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

520 vssadmin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3528 PING.EXE

pid	process
520	vssadmin.exe

pid	process
3528	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

pid	process
3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
Token: SeDebugPrivilege	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3516 wrote to memory of 520	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	vssadmin.exe
PID 3516 wrote to memory of 520	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	vssadmin.exe
PID 3516 wrote to memory of 604	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	cmd.exe
PID 3516 wrote to memory of 604	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	cmd.exe
PID 3516 wrote to memory of 1032	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	cmd.exe
PID 3516 wrote to memory of 1032	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	cmd.exe
PID 604 wrote to memory of 2212	604	cmd.exe	bcdedit.exe
PID 604 wrote to memory of 2212	604	cmd.exe	bcdedit.exe
PID 1032 wrote to memory of 2852	1032	cmd.exe	bcdedit.exe
PID 1032 wrote to memory of 2852	1032	cmd.exe	bcdedit.exe
PID 3516 wrote to memory of 772	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	cmd.exe
PID 3516 wrote to memory of 772	3516	e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe	cmd.exe
PID 772 wrote to memory of 3528	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 3528	772	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
"C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:520
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3528