9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
Size

4.6MB
MD5

3f1c123e7a80fef58cf0d2e55f5a74f2
SHA1

4dbb92b7af113b25c4fc1c4ce75fd1e8800a82e0
SHA256

9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326
SHA512

1963b1aa61c6ce561d00f6db6221b7381e28fc02eb1237320e133aec6d5e0e13cc72151a9033026cf8269cd828ec7de3568f2e8f02509a75a93b8fb413917452

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Hello! All your files are encrypted and only I can decrypt them. Contact me: [email protected] or [email protected] Write me if you want to return your files - I can do it very quickly! The header of letter must contain extension of encrypted files. I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service. Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) HURRY UP! ! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ExportUnpublish.png.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\GrantNew.png => C:\Users\Admin\Pictures\GrantNew.png.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\StopUpdate.crw => C:\Users\Admin\Pictures\StopUpdate.crw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\StopUpdate.crw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSkip.tif.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\ExportUnpublish.png => C:\Users\Admin\Pictures\ExportUnpublish.png.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\SyncSave.tif.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointClose.crw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\GrantNew.png.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\PingClear.raw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\ResizeGet.raw => C:\Users\Admin\Pictures\ResizeGet.raw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\StepDismount.raw => C:\Users\Admin\Pictures\StepDismount.raw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\SyncSave.tif => C:\Users\Admin\Pictures\SyncSave.tif.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\UndoSkip.tif => C:\Users\Admin\Pictures\UndoSkip.tif.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\CheckpointClose.crw => C:\Users\Admin\Pictures\CheckpointClose.crw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File renamed	C:\Users\Admin\Pictures\PingClear.raw => C:\Users\Admin\Pictures\PingClear.raw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeGet.raw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Users\Admin\Pictures\StepDismount.raw.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Fonts\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-125.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-100.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\13.rsrc	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-200.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_signed_out.svg.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-unplated_contrast-white.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-125.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\ui-strings.js	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gd.pak.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-125.jpg	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-150.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\TwoWayBlendPage.xbf	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\StepCompare.css	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO RESTORE YOUR FILES.TXT	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.yulnedxmo	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3888	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3472	vssvc.exe
Token: SeRestorePrivilege	3472	vssvc.exe
Token: SeAuditPrivilege	3472	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1664	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	55
PID 396 wrote to memory of 1664	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	55
PID 1664 wrote to memory of 2512	1664	cmd.exe	57
PID 1664 wrote to memory of 2512	1664	cmd.exe	57
PID 1664 wrote to memory of 324	1664	cmd.exe	58
PID 1664 wrote to memory of 324	1664	cmd.exe	58
PID 396 wrote to memory of 2244	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	59
PID 396 wrote to memory of 2244	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	59
PID 396 wrote to memory of 3608	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	69
PID 396 wrote to memory of 3608	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	69
PID 3608 wrote to memory of 3888	3608	cmd.exe	71
PID 3608 wrote to memory of 3888	3608	cmd.exe	71
PID 396 wrote to memory of 324	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	74
PID 396 wrote to memory of 324	396	9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe	74

C:\Users\Admin\AppData\Local\Temp\9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe
"C:\Users\Admin\AppData\Local\Temp\9a18e445b1dc26e179e43bcc64a8c4580a300fe0ddfa02a1abb9d6380ce96326.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\prefunylucoebincll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\sc.exe
    SC QUERY
    3⤵
    PID:2512
- - C:\Windows\system32\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ympbqm.bat
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ejxbuwympbdxbhhldum.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dveupwr.bat
  2⤵
  PID:324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact