Analysis
-
max time kernel
4294202s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
05-03-2022 20:49
Static task
static1
Behavioral task
behavioral1
Sample
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
Resource
win10v2004-en-20220113
General
-
Target
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
-
Size
53KB
-
MD5
4d9f47ef1d60ed6be978869034c85b7a
-
SHA1
46408fe3437ffc49139cfc046db9f1b941965658
-
SHA256
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e
-
SHA512
8a40e4fa485d27a427cb00e32f9632f688384ed514c3a5d64d6fe05fa67ed090a4996cef21a050264b27a7cdabc0d28fd781b931e54cbe906484d5d7b766eff1
Malware Config
Extracted
C:\how_to_back_files.html
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ProtectLock.tif => C:\Users\Admin\Pictures\ProtectLock.tif.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\ReceiveGroup.raw => C:\Users\Admin\Pictures\ReceiveGroup.raw.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\RedoRepair.tif => C:\Users\Admin\Pictures\RedoRepair.tif.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\StartReset.tif => C:\Users\Admin\Pictures\StartReset.tif.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\InstallSend.png => C:\Users\Admin\Pictures\InstallSend.png.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Pictures\MergeOut.tiff b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\MergeOut.tiff => C:\Users\Admin\Pictures\MergeOut.tiff.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Deletes itself 1 IoCs
pid Process 1980 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe" b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Drops desktop.ini file(s) 37 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Videos\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Documents\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Downloads\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Videos\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Searches\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Links\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Documents\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Pictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Music\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Libraries\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Desktop\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Music\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\NOTICE b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187859.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152436.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1980 1924 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe 31 PID 1924 wrote to memory of 1980 1924 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe 31 PID 1924 wrote to memory of 1980 1924 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe 31 PID 1924 wrote to memory of 1980 1924 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe > nul2⤵
- Deletes itself
PID:1980
-