149ded86c52aee0bf1dc303181495af988334c9c0c6b81048d8388a7f797dc5b

General

Target

trig_149ded86c52aee0bf1dc30.exe
Size

1.1MB
MD5

882f792ef927f4e8321e082d9a4d85ff
SHA1

0f7989d7ae20d6be6f18c38ae255a5ca1397a8df
SHA256

149ded86c52aee0bf1dc303181495af988334c9c0c6b81048d8388a7f797dc5b
SHA512

350040e5611aa21bc637f465a4c898c7473cd21e2a71c269593196c6866b709cefdf9610b411679cdd1f6b213ee130e058b93f5c2578457450aa4b3dd49a9673
SSDEEP

24576:LYxvmwliqDHWHVjdzuM7Br+e5rA+u7ziSX:evmw3UjnrP9jQis

Score

8^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

trig_149ded86c52aee0bf1dc30.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ResumeUninstall.png => \??\c:\users\admin\pictures\ResumeUninstall.png._locked	trig_149ded86c52aee0bf1dc30.exe
File renamed	C:\Users\Admin\Pictures\UndoProtect.raw => \??\c:\users\admin\pictures\UndoProtect.raw._locked	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\pictures\NewWrite.tiff	trig_149ded86c52aee0bf1dc30.exe
File renamed	C:\Users\Admin\Pictures\NewWrite.tiff => \??\c:\users\admin\pictures\NewWrite.tiff._locked	trig_149ded86c52aee0bf1dc30.exe
File renamed	C:\Users\Admin\Pictures\OpenRead.raw => \??\c:\users\admin\pictures\OpenRead.raw._locked	trig_149ded86c52aee0bf1dc30.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trig_149ded86c52aee0bf1dc30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\F7FE720CF8C430BD35D0BA8DA927D6BE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trig_149ded86c52aee0bf1dc30.exe"	trig_149ded86c52aee0bf1dc30.exe

Drops desktop.ini file(s) 47 IoCs

Processes:

trig_149ded86c52aee0bf1dc30.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\uify0mn9\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\Desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\freecell\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\chess\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\pictures\sample pictures\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\recorded tv\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\recorded tv\sample media\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\favorites\links for united states\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\31f8nsav\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\9w0xro68\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\solitaire\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\p35q2wmd\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\dataservices\DESKTOP.INI	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\hearts\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\Desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\spidersolitaire\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\mahjong\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\purble place\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\videos\sample videos\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\public\music\sample music\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	trig_149ded86c52aee0bf1dc30.exe

Drops file in Program Files directory 64 IoCs

Processes:

trig_149ded86c52aee0bf1dc30.exe

description	ioc	process
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\plugin.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0099200.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\pubspapr\ZPDIR37F.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\dvd maker\shared\Common.fxh	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\mozilla firefox\updater.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\videolan\vlc\lua\http\images\Video-48.png	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\videolan\vlc\lua\sd\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\FD00096_.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\WING2.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\forms\1033\EXITEMS.ICO	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\Slate.css	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\lines\BD21307_.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\Bears.jpg	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\videolan\vlc\locale\an\lc_messages\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\lines\J0115875.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jre7\lib\rt.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\mozilla firefox\gmp-clearkey\0.1\clearkey.dll.sig	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\Accra	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\GMT-8	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\cagcat10\J0292020.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\autoshap\BD18227_.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\google\chrome\application\89.0.4389.114\locales\gu.pak	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\mozilla firefox\firefox.cfg	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\common files\system\msadc\ja-jp\msadcer.dll.mui	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0198372.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\bullets\BD21304_.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\computers\computericon.jpg	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\MSCOL11.PPD	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred.xml	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\systemv\CST6	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files (x86)\microsoft sync framework\v1.0\runtime\x86\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft games\multiplayer\checkers\de-de\chkrzm.exe.mui	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\RE00006_.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\lines\BD21328_.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\ReviewRouting_Init.xsn	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\EST	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\pubspapr\PDIR41F.GIF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\it-it\IPSEventLogMsg.dll.mui	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\america\indiana\Petersburg	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\videolan\vlc\locale\ga\lc_messages\vlc.mo	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\adobe\reader 9.0\reader\tracker\br.gif	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\BS00439_.WMF	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\sts2\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\AlertImage_Off.jpg	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\bg_Earthy.gif	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\7-zip\lang\ka.txt	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\1033\pubspapr\PDIR31B.GIF	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\fieldtypepreview\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\indian\Christmas	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\AN01218_.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\SO00018_.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\media\office14\autoshap\BD18247_.WMF	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\Desert.css	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\Baghdad	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\Tirane	trig_149ded86c52aee0bf1dc30.exe

C:\Users\Admin\AppData\Local\Temp\trig_149ded86c52aee0bf1dc30.exe
"C:\Users\Admin\AppData\Local\Temp\trig_149ded86c52aee0bf1dc30.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini
Filesize
870B

MD5
a4c8f488e043f491fbb83b3fce7ce3d8

SHA1
b06c1a8da375a126a6254f54d2c4951ac98d7d6e

SHA256
a4fcc84e5950e3a5c4e9239f3589bb0b558514c1d3e3c2c343d9f4652611b35e

SHA512
5190a2b77077b2af319c28530021b14b5bf9193f19087ab4e678cbfba44f69b278e841ec67abe478be21982774682e9707b253ae2235535b0e1431480d4be83f

Download Submit
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads