b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5

Analysis

max time kernel
148s
max time network
148s
platform
windows10_x64
resource
win10-en-20211208
submitted
04-01-2022 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
Size

4.0MB
MD5

627914078afb6e8601c91fc8552887bc
SHA1

7e149639e304024e895b2ce7a35a1626abf084f2
SHA256

b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5
SHA512

52dd6dcfc9d70c8d4fa47c589fc54d939277bcf2fc1989efb8830384b2bce2ebca4ad28c347e2339783f4c4d86edbade9c4a5d3487daa885310db5d7f61883b8

Score

6^/10

ransomware

Malware Config

Signatures

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\$Recycle.Bin\S-1-5-21-2361464256-2201551969-2316606395-1000\desktop.ini	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File created	C:\Program Files\desktop.ini	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\×ÀÃæ±³¾°Í¼Æ¬.bmp"	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\deploy.dll	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\hijrah-config-umalqura.properties	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\docs.crx	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sr.pak	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\×ÀÃæ±³¾°Í¼Æ¬.bmp	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
Token: 33	960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	960	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2368	1016	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe	71
PID 1016 wrote to memory of 2368	1016	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe	71
PID 1016 wrote to memory of 2368	1016	b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe	71

C:\Users\Admin\AppData\Local\Temp\b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
"C:\Users\Admin\AppData\Local\Temp\b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_²¡Ãû¤ÏÛ¤À¤Ã¤¿_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:2368

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact