0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028

pid	Process
6384	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
5964	wbadmin.exe

Executes dropped EXE 1 IoCs

pid	Process
3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResumeWait.tiff.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File renamed	C:\Users\Admin\Pictures\SaveDismount.tif => C:\Users\Admin\Pictures\SaveDismount.tif.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\SaveDismount.tif.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeWait.tiff	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File renamed	C:\Users\Admin\Pictures\ResumeWait.tiff => C:\Users\Admin\Pictures\ResumeWait.tiff.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\FindEnable.tif.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File renamed	C:\Users\Admin\Pictures\LockGroup.crw => C:\Users\Admin\Pictures\LockGroup.crw.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File renamed	C:\Users\Admin\Pictures\DebugApprove.tiff => C:\Users\Admin\Pictures\DebugApprove.tiff.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File renamed	C:\Users\Admin\Pictures\FindEnable.tif => C:\Users\Admin\Pictures\FindEnable.tif.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\LockGroup.crw.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File renamed	C:\Users\Admin\Pictures\PingDebug.crw => C:\Users\Admin\Pictures\PingDebug.crw.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\PingDebug.crw.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\DebugApprove.tiff	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\DebugApprove.tiff.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe = "C:\\Windows\\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe"	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened (read-only)	\??\F:	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\5415296051972527219.jpg"	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-150.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\platform_format.lua	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-200.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-100.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\manifest.json	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\moe_default_icon.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GooglePromoTile.scale-100.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SuperSlowMotionCheckbox.xbf	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\ExportConfig.json	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-125.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-lightunplated.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
File created	C:\Windows\5415296051972527219.png	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1107

Inhibit System Recovery

pid	Process
5836	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1688	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\5415296051972527219.png"	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5068	PING.EXE

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Token: SeTcbPrivilege	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Token: SeTakeOwnershipPrivilege	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Token: SeSecurityPrivilege	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeBackupPrivilege	6000	wbengine.exe
Token: SeRestorePrivilege	6000	wbengine.exe
Token: SeSecurityPrivilege	6000	wbengine.exe
Token: SeBackupPrivilege	4060	vssvc.exe
Token: SeRestorePrivilege	4060	vssvc.exe
Token: SeAuditPrivilege	4060	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6408	WMIC.exe
Token: SeSecurityPrivilege	6408	WMIC.exe
Token: SeTakeOwnershipPrivilege	6408	WMIC.exe
Token: SeLoadDriverPrivilege	6408	WMIC.exe
Token: SeSystemProfilePrivilege	6408	WMIC.exe
Token: SeSystemtimePrivilege	6408	WMIC.exe
Token: SeProfSingleProcessPrivilege	6408	WMIC.exe
Token: SeIncBasePriorityPrivilege	6408	WMIC.exe
Token: SeCreatePagefilePrivilege	6408	WMIC.exe
Token: SeBackupPrivilege	6408	WMIC.exe
Token: SeRestorePrivilege	6408	WMIC.exe
Token: SeShutdownPrivilege	6408	WMIC.exe
Token: SeDebugPrivilege	6408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6408	WMIC.exe
Token: SeRemoteShutdownPrivilege	6408	WMIC.exe
Token: SeUndockPrivilege	6408	WMIC.exe
Token: SeManageVolumePrivilege	6408	WMIC.exe
Token: 33	6408	WMIC.exe
Token: 34	6408	WMIC.exe
Token: 35	6408	WMIC.exe
Token: 36	6408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6408	WMIC.exe
Token: SeSecurityPrivilege	6408	WMIC.exe
Token: SeTakeOwnershipPrivilege	6408	WMIC.exe
Token: SeLoadDriverPrivilege	6408	WMIC.exe
Token: SeSystemProfilePrivilege	6408	WMIC.exe
Token: SeSystemtimePrivilege	6408	WMIC.exe
Token: SeProfSingleProcessPrivilege	6408	WMIC.exe
Token: SeIncBasePriorityPrivilege	6408	WMIC.exe
Token: SeCreatePagefilePrivilege	6408	WMIC.exe
Token: SeBackupPrivilege	6408	WMIC.exe
Token: SeRestorePrivilege	6408	WMIC.exe
Token: SeShutdownPrivilege	6408	WMIC.exe
Token: SeDebugPrivilege	6408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6408	WMIC.exe
Token: SeRemoteShutdownPrivilege	6408	WMIC.exe
Token: SeUndockPrivilege	6408	WMIC.exe
Token: SeManageVolumePrivilege	6408	WMIC.exe
Token: 33	6408	WMIC.exe
Token: 34	6408	WMIC.exe
Token: 35	6408	WMIC.exe
Token: 36	6408	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3404	4704	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	82
PID 4704 wrote to memory of 3404	4704	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	82
PID 4704 wrote to memory of 3404	4704	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	82
PID 4704 wrote to memory of 2616	4704	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	84
PID 4704 wrote to memory of 2616	4704	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	84
PID 3404 wrote to memory of 5060	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	87
PID 3404 wrote to memory of 5060	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	87
PID 2616 wrote to memory of 5068	2616	cmd.exe	86
PID 2616 wrote to memory of 5068	2616	cmd.exe	86
PID 5060 wrote to memory of 1688	5060	cmd.exe	90
PID 5060 wrote to memory of 1688	5060	cmd.exe	90
PID 3404 wrote to memory of 5912	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	98
PID 3404 wrote to memory of 5912	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	98
PID 5912 wrote to memory of 5964	5912	cmd.exe	100
PID 5912 wrote to memory of 5964	5912	cmd.exe	100
PID 3404 wrote to memory of 6136	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	104
PID 3404 wrote to memory of 6136	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	104
PID 3404 wrote to memory of 6136	3404	0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe	104
PID 5912 wrote to memory of 5836	5912	cmd.exe	106
PID 5912 wrote to memory of 5836	5912	cmd.exe	106
PID 5912 wrote to memory of 6384	5912	cmd.exe	112
PID 5912 wrote to memory of 6384	5912	cmd.exe	112
PID 5912 wrote to memory of 6408	5912	cmd.exe	113
PID 5912 wrote to memory of 6408	5912	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
"C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
  "C:\Windows\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe" g g g o n e123
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\System32\cmd.exe
    /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\Windows\System32\cmd.exe
    /C wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5912
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:5964
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5836
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} nx AlwaysOff
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic SHADOWCOPY DELETE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6408
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:6136
- C:\Windows\System32\cmd.exe
  /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:5068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6108

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery