Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 21:59
Static task
static1
Behavioral task
behavioral1
Sample
70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe
-
Size
51KB
-
MD5
82f5dbbe1726bb9005072690b201aaac
-
SHA1
7aef263a300c999b2a3d7d459308db6fb1906790
-
SHA256
70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d
-
SHA512
3cf95d7960fc2385041c1f51efe2180c1576ba191cd2699d36161d6740ffcb316f5db08d014404da426018341c0c60e14e22e1cb9bfed6d540ce657aaba85dcb
Score
10/10
Malware Config
Extracted
Path
C:\read-me.txt
Family
globeimposter
Ransom Note
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
| 3. Create Ticket
----------------------------------------------------------------------------------------
Note! This link is available via Tor Browser only.
------------------------------------------------------------
or
http://helpqvrg3cc5mvb3.onion/
Your ID
���42 79 55 6C 9E C3 4A 74 B7 AA C5 56 34 15 48 44
82 2D 55 EB A0 DF 6B 63 6D 5E 9A 73 A2 CF 52 57
94 7B 12 37 B8 4B C6 42 AC 2C F4 26 85 DA 0A A1
B7 75 20 DC 69 07 26 11 7D C4 F3 59 BE 7C B6 EB
27 70 14 EE 0F 5F 7D 68 3D DD 68 38 18 AD BA B4
54 E0 86 C8 1C 63 C3 ED 8D C1 8C C9 F2 22 8A 4F
D9 10 D9 76 94 9D 46 86 B6 92 80 52 3C 3B B3 ED
68 89 61 1E 75 F1 43 34 58 BC 5F 4D A5 97 76 5C
F7 81 07 E7 7A 3C B0 7E A7 8F A8 33 45 FC 47 92
F8 9B FF 36 09 4D C3 B8 0D 7B 7C C0 BC CE 92 5C
CF D8 DB DE 4D B6 07 75 CD 85 75 6D 09 94 47 B6
BF A7 8A 76 12 13 C1 96 57 F6 47 C5 8A 49 C8 4E
73 79 58 88 EC B5 C7 FF 0E 37 2A F2 8B CA FF 95
CC 80 73 5E 62 54 66 BE 08 DD C4 30 17 8F B6 E1
01 83 85 D2 E6 B2 C5 39 05 35 F8 3F 15 01 C2 4E
12 50 01 82 80 10 51 DB 67 40 CA 7B C2 AC 5C 9F
URLs
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
http://helpqvrg3cc5mvb3.onion/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\OutReset.crw => C:\Users\Admin\Pictures\OutReset.crw.xls 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2361464256-2201551969-2316606395-1000\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Links\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Music\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Music\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Documents\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Public\Videos\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\resources.pri 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_12h.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-125_contrast-white.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\read-me.txt 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview-hover.svg 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_32x32x32.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-400.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\sakura.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Icons\spider.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.scale-150.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-loaders.xml 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\SmallTile.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-24.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\acrobat_pdf.svg 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-32_altform-unplated.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mz_16x11.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tf_60x42.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated_contrast-white.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ConfigurationManager.dll 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dll 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleAppStoreLogo.scale-100.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-16.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\read-me.txt 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_empty.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-32.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\read-me.txt 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxOutlook.Resources.dll 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObjectInstanced.fx 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11h.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\read-me.txt 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ru_135x40.svg 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-125.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20_altform-unplated.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll 70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
-
C:\Users\Admin\AppData\Local\Temp\70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe"C:\Users\Admin\AppData\Local\Temp\70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2836