1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77

General

Target

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Size

200KB
MD5

7372c9a138bb854972452263abab1dc5
SHA1

ad247b2428fac6d07bdd9628cddaa18004840e6c
SHA256

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77
SHA512

3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184
SSDEEP

3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\EnterUnpublish.tiff	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\pictures\UnblockMeasure.tiff	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Drops startup file 1 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 29 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\music\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\3d objects\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

pid	process
656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 3428	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3428	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3428	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 4456	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 4456	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 4456	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3012	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3012	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3012	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 816	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 816	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 816	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 4536	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 4536	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 4536	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3212	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3212	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 656 wrote to memory of 3212	656	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 816 wrote to memory of 4340	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 4340	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 4340	816	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
"C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:6488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

Filesize
935B

MD5
0644cef640f126c5ed4bbf70cd5df159

SHA1
64b2ac3229ce2158cecbb46f3b0e0eacc1e6e222

SHA256
b36a1d84e32061d4c86b6adfed1e502e3260c8d53bb3548a90135af5d4e413fd

SHA512
9d948cb05ae36e2a3978dfa09d9d6f33b004a640ba52bedea43df23b5b0868aafcdf2940f04d66e3911b18583bc99789118815a48f3998643a24566c6b917f1e

Download Submit
C:\Users\Public\Desktop\how_to_decrypt.hta

Filesize
5KB

MD5
79e7b5b61351f9076a85a13f46eaa4d1

SHA1
aafe0c09ab8a06ce187dac51a6b8c1827ddbcc29

SHA256
37e13beb9e01e95a84ed8f181eb64d0c30bab11cacb7d8c11ad2c76b8d456e12

SHA512
941df877f13e43dacf6d8f01d871fe726f4251131ccc188266c0efcec2542d318a31b8837faeca804436d4660979f4f7f65d1b02e5d4307167dabb997ee77a14

Download Submit
memory/816-135-0x0000000000000000-mapping.dmp

Download
memory/3012-134-0x0000000000000000-mapping.dmp

Download
memory/3212-137-0x0000000000000000-mapping.dmp

Download
memory/3428-132-0x0000000000000000-mapping.dmp

Download
memory/4340-138-0x0000000000000000-mapping.dmp

Download
memory/4456-133-0x0000000000000000-mapping.dmp

Download
memory/4536-136-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads