f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201

General

Target

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
Size

9KB
MD5

04da21c104ea3e996c4fbdc496475743
SHA1

0231ea30add2fa0c06167c8929f8b523ef4d1356
SHA256

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201
SHA512

918d4459e5e3741ac0eee222bf9e5e81365e7fd5a2a046f3e7e21ceb7788dd1c735ca895048ef04e8e1af49b6dc45cd1bb60b8bcb5caa49b51a148329899a73a

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DebugUnpublish.tiff	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

Drops startup file 1 IoCs

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	ioc	process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Public\Music\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Public\Desktop\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Desktop\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Contacts\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Videos\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Favorites\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Public\Pictures\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Searches\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Links\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Downloads\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Music\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Public\Videos\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Pictures\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\comdll.X.manifest	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msaddsr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\msdatt.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\wab32.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msado27.tlb	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\rtscom.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaremr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF64.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\plugin.X.manifest	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdaorar.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\msadds.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msador28.tlb	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msado15.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penusa.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchobj.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3248 NOTEPAD.EXE
2488 NOTEPAD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

3248 NOTEPAD.EXE

pid	process
3248	NOTEPAD.EXE
2488	NOTEPAD.EXE

pid	process
3248	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe

description	pid	process	target process
PID 4812 wrote to memory of 3248	4812	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe	NOTEPAD.EXE
PID 4812 wrote to memory of 3248	4812	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe	NOTEPAD.EXE
PID 4812 wrote to memory of 3248	4812	f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe
"C:\Users\Admin\AppData\Local\Temp\f21cda69b887bd2c296a48614c12b32c251a2822be81bcb0dabbc4439b04f201.bin.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NominatusRansomware2Message.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3248

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NominatusRansomware2Message.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\NominatusRansomware2Message.txt
Filesize
190B

MD5
ba75f34f7956803c3541b082542c978b

SHA1
8008ebef07a1cc16bdab42239c39c6cac8b78de9

SHA256
f19a8b86a038fe95c6a5df55344fe3d4f80f76376f5816d3d5c1086a984ba6e1

SHA512
52e7a8a83e5460d466a566a7e6e985735b760ae09d1bda328df0749c441f569a391e4c260325025131602445f3a5081144cfaba15c93186abb3656fb12ece026

Download Submit
memory/3248-131-0x0000000000000000-mapping.dmp

Download
memory/4812-130-0x0000000000110000-0x0000000000118000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads