Analysis
-
max time kernel
173s -
max time network
185s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 03:19
Static task
static1
Behavioral task
behavioral1
Sample
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
Resource
win10-en-20211208
General
-
Target
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
-
Size
73KB
-
MD5
1c021f42e3a138060e1d298726d1579f
-
SHA1
54e3384fb68fde6fc711491e8072781e3910156a
-
SHA256
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c
-
SHA512
5ee344d17b5e9a2285258b8e16253263ebb856167b36e7679e602c041c2320c10a7182a7cb5c14f59fe3117a981e96fdff6fa7dc2c2194e90a6f659de143c101
Malware Config
Extracted
C:\odt\How_to_recovery.txt
ithelp02@decorous.cyou
ithelp02@wholeness.business
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatAdd.png => C:\Users\Admin\Pictures\FormatAdd.png.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\SyncConfirm.tiff 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\SyncConfirm.tiff => C:\Users\Admin\Pictures\SyncConfirm.tiff.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\LicChk = "C:\\Users\\Admin\\AppData\\Local\\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe" 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Drops desktop.ini file(s) 29 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Documents\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Videos\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Music\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Links\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Music\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File opened (read-only) \??\A: 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\selector.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\Office16\SLERROR.XML 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\de-DE\wordpad.exe.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterBold.ttf 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files\Internet Explorer\es-ES\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-actions.xml 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Defender\en-US\EppManifest.dll.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1480 vssadmin.exe 3132 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exe9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription pid process Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeIncBasePriorityPrivilege 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.execmd.execmd.exedescription pid process target process PID 2472 wrote to memory of 584 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 2472 wrote to memory of 584 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 584 wrote to memory of 1480 584 cmd.exe vssadmin.exe PID 584 wrote to memory of 1480 584 cmd.exe vssadmin.exe PID 2472 wrote to memory of 3960 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 2472 wrote to memory of 3960 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 3960 wrote to memory of 3132 3960 cmd.exe vssadmin.exe PID 3960 wrote to memory of 3132 3960 cmd.exe vssadmin.exe PID 2472 wrote to memory of 2868 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 2472 wrote to memory of 2868 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 2472 wrote to memory of 2868 2472 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe > nul2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken