Analysis
-
max time kernel
416s -
max time network
419s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
12-01-2023 23:37
Static task
static1
Behavioral task
behavioral1
Sample
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
Resource
win10v2004-20220901-en
General
-
Target
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
-
Size
169KB
-
MD5
c99e32fb49a2671a6136535c6537c4d7
-
SHA1
ada9bcb3da63e7b989b279fb6c3bc9fe7ff7b41f
-
SHA256
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b
-
SHA512
ad77caa95954281cdb11239e832953a5c256981b2bc12fe48029ae002bd49c2715108bdf80a45f6aad459a110fa952cbb87fcae09ff23c79e2845a4296067257
-
SSDEEP
3072:Z1E/rS2paccKntcIaKZEKIOjWqGxaTga0rIJ2SEguMG6NTCJAEhRP7ym6VwM1E6x:Z1on2KvuxaUa0NtgdTgXDTOpRh
Malware Config
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\AssertUnlock.raw => C:\Users\Admin\Pictures\AssertUnlock.raw..doc 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Pictures\ExitSync.tiff 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File renamed C:\Users\Admin\Pictures\ExitSync.tiff => C:\Users\Admin\Pictures\ExitSync.tiff..doc 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File renamed C:\Users\Admin\Pictures\SplitRestore.crw => C:\Users\Admin\Pictures\SplitRestore.crw..doc 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Loads dropped DLL 1 IoCs
pid Process 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe" 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Drops desktop.ini file(s) 37 IoCs
description ioc Process File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Links\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Music\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Documents\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Music\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Videos\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1576 set thread context of 1528 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 28 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153093.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_increaseindent.gif 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosefont.gif 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04355_.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MAIL.ICO 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File created C:\Program Files\Microsoft Games\Hearts\ja-JP\Read___ME.html 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232171.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File created C:\Program Files\Microsoft Games\Purble Place\fr-FR\Read___ME.html 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORTL.ICO 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\Read___ME.html 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1704 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9CBFA2E1-92DA-11ED-A4EF-4E1FE69E5DC1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000c781bf4ae67002aae40eb7969e1747872402c32915d47cb03b926194b6e8bee1000000000e8000000002000020000000a2480a94052089b2e0b52bf0e038a490cbc4e320971cef4b293e713f5a04fda890000000a810000523250ce1c706f624ce4b4d5cb6d97b8e851a902235736cfb6fc32c00792d440ff04e2fa570b17d158d73cc4a8393ee242a90629a2177cad1e2d7e17a1e9f81b28458d47a3fb5d99e8514acf400bc43d097a597a77c12d9f305c13d54f722e665539c9b6e28c8ac5ed23de043499b36d077195223affc79cd8c855dd6b289e32bbecce06038eb2c2efe255cdd40000000939cf5e07076d1f533b3a531e131d872504ff5c4eebdf7fd39904edc446b44ad00580f3a6b7ff1382123c3bc8827cf5027b64dc8a970094dd675005de6829ba2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380335291" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000004760bf30702ce07e67644138faa31351b0313d9b3ef83e485bef2e4232e10274000000000e80000000020000200000002a6a390daadf2293ecf8a14ade53410ec2c10a64791a46dfb2ede218bd51b2d920000000450027597c84d11b471dcf886dc0f46545a53bb494f965252c352c7b5581604b4000000013ee63f872945dcab9f4c136d54c61834f98400f93fdfb22e155c5a7fbb85778ecbcbd2b28264db36349155996e29d78ecce169cee23e1ef046b00bc003258d0 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b061186fe726d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1204 vssvc.exe Token: SeRestorePrivilege 1204 vssvc.exe Token: SeAuditPrivilege 1204 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 944 iexplore.exe 944 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 944 iexplore.exe 944 iexplore.exe 824 IEXPLORE.EXE 824 IEXPLORE.EXE 824 IEXPLORE.EXE 824 IEXPLORE.EXE 1360 IEXPLORE.EXE 1360 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1576 wrote to memory of 1528 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 28 PID 1576 wrote to memory of 1528 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 28 PID 1576 wrote to memory of 1528 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 28 PID 1576 wrote to memory of 1528 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 28 PID 1576 wrote to memory of 1528 1576 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 28 PID 944 wrote to memory of 824 944 iexplore.exe 32 PID 944 wrote to memory of 824 944 iexplore.exe 32 PID 944 wrote to memory of 824 944 iexplore.exe 32 PID 944 wrote to memory of 824 944 iexplore.exe 32 PID 944 wrote to memory of 1360 944 iexplore.exe 34 PID 944 wrote to memory of 1360 944 iexplore.exe 34 PID 944 wrote to memory of 1360 944 iexplore.exe 34 PID 944 wrote to memory of 1360 944 iexplore.exe 34 PID 1528 wrote to memory of 1732 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 35 PID 1528 wrote to memory of 1732 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 35 PID 1528 wrote to memory of 1732 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 35 PID 1528 wrote to memory of 1732 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 35 PID 1528 wrote to memory of 1396 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 37 PID 1528 wrote to memory of 1396 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 37 PID 1528 wrote to memory of 1396 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 37 PID 1528 wrote to memory of 1396 1528 8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe 37 PID 1732 wrote to memory of 1704 1732 cmd.exe 38 PID 1732 wrote to memory of 1704 1732 cmd.exe 38 PID 1732 wrote to memory of 1704 1732 cmd.exe 38 PID 1732 wrote to memory of 1704 1732 cmd.exe 38 PID 1732 wrote to memory of 1756 1732 cmd.exe 41 PID 1732 wrote to memory of 1756 1732 cmd.exe 41 PID 1732 wrote to memory of 1756 1732 cmd.exe 41 PID 1732 wrote to memory of 1756 1732 cmd.exe 41 PID 1732 wrote to memory of 1624 1732 cmd.exe 42 PID 1732 wrote to memory of 1624 1732 cmd.exe 42 PID 1732 wrote to memory of 1624 1732 cmd.exe 42 PID 1732 wrote to memory of 1624 1732 cmd.exe 42 PID 1732 wrote to memory of 1536 1732 cmd.exe 43 PID 1732 wrote to memory of 1536 1732 cmd.exe 43 PID 1732 wrote to memory of 1536 1732 cmd.exe 43 PID 1732 wrote to memory of 1536 1732 cmd.exe 43 PID 1732 wrote to memory of 1492 1732 cmd.exe 44 PID 1732 wrote to memory of 1492 1732 cmd.exe 44 PID 1732 wrote to memory of 1492 1732 cmd.exe 44 PID 1732 wrote to memory of 1492 1732 cmd.exe 44 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1492 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tmp4126.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:1704
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f4⤵PID:1756
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f4⤵PID:1624
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"4⤵PID:1536
-
-
C:\Windows\SysWOW64\attrib.exeattrib Default.rdp -s -h4⤵
- Views/modifies file attributes
PID:1492
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe > nul3⤵PID:1396
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Read___ME.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:824
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:209932 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5de7056b8bac0cb42878e72710631f2e2
SHA1eae422ceffc7e87940743f65fedd74039340a218
SHA2561b2daf7e98dfc8b28ff3a6fda66a2fc8377ac22bc4495930e3d0706ddd84f927
SHA51249dcb705498f2cce58e2992ab0efcbcf6b1e8e398ce5021b1b90172f7bb09aa0fd86e3c09cb241da699455f7aad8fb61e8d5d5cc9449921df5b2a81f046dd6c1
-
Filesize
70KB
MD50fc138abd7c94c998dbf29db15481b16
SHA1f2969233175e2d0275fb87438493108fee199b2e
SHA25601a6c97fc1a23001fefc3c1f8c3480bc0cc444541463b8e3411f79644aef5b58
SHA512b55afc819d3099a9da7de96e5f1c80f87b40f1bc37dc0296be22adb6e555e8869f197de1b7d7d3e271044f397e9aa3b81bbc123be4b32f59e68c28e09a95facf
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
Filesize
445B
MD532d8f7a3d0c796cee45f64b63c1cca38
SHA1d58466430a2bba8641bd92c880557379e25b140c
SHA2561a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea
SHA512288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698
-
Filesize
608B
MD59ff79450d140bf1f1135e5a5aa880b94
SHA15dbabbd4de4e51b96e91e108fc26e84bc7f434f5
SHA2562d6996eb06a035a5d99729b6390facb24aaf803800cc91d5f4bcfd7a8b4425fa
SHA51268e971a98bbe3b1a818fad285063dc1bb8336deb380c11e7ad9d97c239c6713a425b2cee0e9e5115a2103212f36110b1b20dccf435aa701724a6523636ef754b
-
Filesize
4KB
MD5f7f3e70a5e06cfddf310bea8a24d08d5
SHA1a699bd106dacf3c0c7f60a4796f568834921cecf
SHA256749665bb9c14b0d01c7d59362e1820e42555a87447c20edbceebad27519193f5
SHA5126fea7e9bf550be65c8877e392bde981300d88ef4159b56897f297a73f699f167fee510003093d5a1ba766c6e55325abb60f40c80993883257c209ec05c189577
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6