mountlocker | 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

General

Target

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Size

200KB
MD5

c2671bf5b5dedbfd3cfe3f0f944fbe01
SHA1

da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
SHA256

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
SHA512

256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
SSDEEP

1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00

Score

10^/10

mountlocker ransomware

Malware Config

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note

<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <pre> aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e </pre> <hr/> /!\ YOUR NETWORK HAS BEEN HACKED /!\ All your important files have been encrypted! <hr/> Your files are safe! Only encrypted. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. You can send us 2-3 files and we will decrypt it for free to prove we are able to give your files back. Also we gathered highly confidential/personal data from your network. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you won't pay, we will release your data to public or reseller. So you can expect your data to be published or improperly used in the near future. In this case you will face all legal and reputational consequences of the leak. We only desire to get a ransom and we don't aim to damage your reputation or destroy your business. <hr/> Contact us to discuss your next step. <a href="http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e">http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e</a> * Note that this server is only available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e". 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <hr/> If you can`t use the above link, use the email: <a href="mailto:[email protected]">[email protected]</a> Please note, sometimes our support is away from keyboard, but we will reply shortly. Kindly advise you to contact us as soon as possible. </body> </html>

Emails

href="mailto:[email protected]">[email protected]</a>

Extracted

Path

C:\RecoveryManual.html

Ransom Note

Your ClientId: /!\ YOUR NETWORK HAS BEEN HACKED /!\ All your important files have been encrypted! Your files are safe! Only encrypted. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. You can send us 2-3 files and we will decrypt it for free to prove we are able to give your files back. Also we gathered highly confidential/personal data from your network. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you won't pay, we will release your data to public or reseller. So you can expect your data to be published or improperly used in the near future. In this case you will face all legal and reputational consequences of the leak. We only desire to get a ransom and we don't aim to damage your reputation or destroy your business. Contact us to discuss your next step. http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e * Note that this server is only available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e". 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). If you can`t use the above link, use the email: [email protected] Please note, sometimes our support is away from keyboard, but we will reply shortly. Kindly advise you to contact us as soon as possible.

Emails

[email protected]

URLs

http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503b87a01ec6bd15d5e00577a9cc00a14e

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\SkipRename.tiff	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\SkipRename.tiff => \??\c:\Users\Admin\Pictures\SkipRename.tiff.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\UnpublishAssert.png => \??\c:\Users\Admin\Pictures\UnpublishAssert.png.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\BlockUnblock.tif => \??\c:\Users\Admin\Pictures\BlockUnblock.tif.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\MoveResume.crw => \??\c:\Users\Admin\Pictures\MoveResume.crw.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\PublishBackup.crw => \??\c:\Users\Admin\Pictures\PublishBackup.crw.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\RemoveTrace.png => \??\c:\Users\Admin\Pictures\RemoveTrace.png.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\ResetConnect.crw => \??\c:\Users\Admin\Pictures\ResetConnect.crw.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1964 cmd.exe

pid	process
1964	cmd.exe

Drops desktop.ini file(s) 36 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Drops file in Program Files directory 64 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31B.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Oral	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Midway	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01682_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.XML	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\skins\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\br.txt	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2032 vssadmin.exe

pid	process
2032	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000007424543d2391d94ac8ab079aec4d7aac6157ba2e271b81e7a04ac3fbd815ff0a000000000e8000000002000020000000bb0bcc4126b11a320b6b8904ce8bd874a34dae811b6657083abec986126e48e69000000030ae1dfa901f984f1e1d86051971ccea519f7c73ddfd6c0e8921cf424d4578330a81db014093816d1f7514ee5bc4a5399e41067282ad8c1d76659b6a15fb90f13c763c63928b0a76914c5cd1abd4654228853551d001c30ae4bf45bcee87be1d2e8706981d7901db458aa64332c22d8ba4e755bd7efa0a41d9c2373a745aa3576a0f65f98df35e141e1ee0ac30de723740000000083695547d3194b77da6017a3c4d12b7006997e7002a8740918df192406ae03d3bd40242ca85d3d30b00998e50334bdb3fcece74f7a7d180294a62611e3db587	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CC1A091-3832-11ED-B25A-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6110E1D1-3832-11ED-B25A-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a5a3363fccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000049ed906caed9366c4dd1c9d8b0178c0d2a118f7f991b77b8bb174d157ff632b0000000000e80000000020000200000004be812d9c0af6ba539ed2d3e83f529adb1f3b0c43a2a71e11cb331e55c9c577c20000000d677b0ec00c46bd1609e4bdae8a0fc2051c63cba8f5fad2d7a34e1e18369210740000000a13ec205e543179782beb9cdba6e9b69ea975a68847dfd69d4d1b68373af3960f95acc7fc879a490682003777351df2ef09940335656959a6917f4106eeb5bd9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 5 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.EF9E23B4\shell\Open	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html"	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.EF9E23B4\shell\Open\command	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.EF9E23B4\shell	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exetaskmgr.exe

pid	process
1840	powershell.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exevssvc.exe226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exeAUDIODG.EXEtaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeBackupPrivilege	972	vssvc.exe
Token: SeRestorePrivilege	972	vssvc.exe
Token: SeAuditPrivilege	972	vssvc.exe
Token: SeTakeOwnershipPrivilege	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Token: SeRestorePrivilege	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Token: 33	1952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1952	AUDIODG.EXE
Token: 33	1952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1952	AUDIODG.EXE
Token: SeDebugPrivilege	1800	taskmgr.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

iexplore.exeiexplore.exetaskmgr.exe

pid	process
1112	iexplore.exe
1888	iexplore.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

taskmgr.exe

pid	process
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe
1800	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
1112	iexplore.exe
1112	iexplore.exe
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1888	iexplore.exe
1888	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.execmd.exeiexplore.exeexplorer.exeiexplore.exe

description	pid	process	target process
PID 1632 wrote to memory of 1840	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1632 wrote to memory of 1840	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1632 wrote to memory of 1840	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1632 wrote to memory of 1840	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1840 wrote to memory of 2032	1840	powershell.exe	vssadmin.exe
PID 1840 wrote to memory of 2032	1840	powershell.exe	vssadmin.exe
PID 1840 wrote to memory of 2032	1840	powershell.exe	vssadmin.exe
PID 1840 wrote to memory of 2032	1840	powershell.exe	vssadmin.exe
PID 1632 wrote to memory of 1964	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1632 wrote to memory of 1964	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1632 wrote to memory of 1964	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1632 wrote to memory of 1964	1632	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1964 wrote to memory of 1972	1964	cmd.exe	attrib.exe
PID 1964 wrote to memory of 1972	1964	cmd.exe	attrib.exe
PID 1964 wrote to memory of 1972	1964	cmd.exe	attrib.exe
PID 1964 wrote to memory of 1972	1964	cmd.exe	attrib.exe
PID 1112 wrote to memory of 1424	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 1424	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 1424	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 1424	1112	iexplore.exe	IEXPLORE.EXE
PID 1140 wrote to memory of 1888	1140	explorer.exe	iexplore.exe
PID 1140 wrote to memory of 1888	1140	explorer.exe	iexplore.exe
PID 1140 wrote to memory of 1888	1140	explorer.exe	iexplore.exe
PID 1888 wrote to memory of 1092	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1092	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1092	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1092	1888	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1972 attrib.exe

pid	process
1972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
"C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden -c $mypid='1632';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~7103255.tmp')|iex
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006F3718.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
    3⤵
    - Views/modifies file attributes
    PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\RecoveryManual.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1424

C:\Windows\explorer.exe
"explorer.exe" RecoveryManual.html
1⤵
PID:1816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1092

C:\Windows\system32\taskmgr.exe
taskmgr.exe /2
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RecoveryManual.html

Filesize
2KB

MD5
65718f10bb74d49dd9951c6fe10a8326

SHA1
0296eda154e55d90f52a47791b3e35d095bcf87e

SHA256
294e2ed7cf7102f25af4af05911174cab59a70a52138210eee4f9ccfd0b8ab47

SHA512
2d8b7bd62c312d0fe8cb8ae4c7b1f7e90749637c414f1f31daf61747a413e0ccb6a0f7be2560b55f05a94e6f39a794f643fd6cf57d54554be0a709b4e9a0ecc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{34757B50-1A4A-11ED-BB97-EA8F93F2F821}.dat

Filesize
5KB

MD5
3e091dae05c6da2deade11efa12aadf6

SHA1
4bab9a73d1c874148b4cfe33ba2bab7c68dc74b1

SHA256
1287514afcf9ce1a1e5431efe6c29ba6b023209db1fe3f48a66f8af3c6c727f3

SHA512
e8a268d51968d1af91a33c560fc9de6a823b74e8b3580a94c907487353843860ae578bd8572dc1e1e93b83290223c88827d4981dd5800e280fd5e0b754297419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{6110E1D5-3832-11ED-B25A-FE72C9E2D9C9}.dat

Filesize
4KB

MD5
8e03f7ed7a6322d73ccb6ae42d194166

SHA1
295e39c30938f8e2250e5058ed4c15e0d1e8dca0

SHA256
692b4063ca9217116a393eea0b7ed64fe73c57acecdf43028b3e0d94d86c58d5

SHA512
8626abc892041768dbac03d05c7f31486f50fa73427acb99de657c371740de41a6acce997342a86c536c3f398dace42ea88a843112b662eae542cb37bbb3fbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\006F3718.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7103255.tmp

Filesize
4KB

MD5
4e1a1e3e715c291c71950d2fdc79e2be

SHA1
dc2b3d20a9ec88e0d8d75c5097154687acc42983

SHA256
acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

SHA512
d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

Download Submit
C:\Users\Admin\Desktop\RecoveryManual.html

Filesize
2KB

MD5
65718f10bb74d49dd9951c6fe10a8326

SHA1
0296eda154e55d90f52a47791b3e35d095bcf87e

SHA256
294e2ed7cf7102f25af4af05911174cab59a70a52138210eee4f9ccfd0b8ab47

SHA512
2d8b7bd62c312d0fe8cb8ae4c7b1f7e90749637c414f1f31daf61747a413e0ccb6a0f7be2560b55f05a94e6f39a794f643fd6cf57d54554be0a709b4e9a0ecc1

Download Submit
memory/1632-56-0x00000000025F0000-0x00000000025FF000-memory.dmp

Filesize
60KB

Download
memory/1800-78-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1800-79-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1840-66-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-63-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-62-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1840-61-0x0000000000000000-mapping.dmp

Download
memory/1956-67-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download
memory/1972-70-0x0000000000000000-mapping.dmp

Download
memory/2032-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads