143aa60d44f38ae8a99ce6b5dbdb80412e2c32fcf8f50b5bd1aee46a3f5a4b40

General

Target

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
Size

12.0MB
MD5

a067491773524cf499e7a0bc77ceec96
SHA1

e8034dfd3468dcd3d5a6d09f3fde7f63dcc9ec13
SHA256

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457
SHA512

c759d0ace38c842f98d4a9d4a8cc342c89d40ab4238ff52625db13a4e50714aedf701798f6ea22e755e3599c4e002b4ba49ed3f9b06c56e4d95ac7ce6800fa4c
SSDEEP

98304:QnLu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05QP:QnTRtBYk405QP

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Readme_Instructions.html

Ransom Note

<!DOCTYPE HTML> <html><head><title>infected with ransomware virus</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"> </head> <body style="margin: 0.4em; font-size: 14pt;">!!!    Your files are encrypted  !!! *All your files are protected with encryption* *There is no public decryption software.* *All files/documents/software with ".CRYPT" extension is encrypted* ###### Program and private key, What is the price? The price depends on how fast you can pay us.!###### 1 day : 50 Bitcoin 2 day : 60 Bitcoin 3 day : 90 Bitcoin 4 day : 130 Bitcoin 5 day    : permanent data loss !!!! ***How to contact our team through tox chat*** *Download tox chat from *<a href="https://tox.chat/download.html">https://tox.chat/download.html</a> *send us friend request to tox chat id 7D8796EB86CBF29F53F8A8447EABAF310ED898D9DEFF97AE09C1864C2A6B3B14ED8F82AE9B9D *Our team is waiting* !!!!For immediate decryption!!! write to our email: <a href="mailto:decryptorsoftware@xyzmailpro.com">decryptorsoftware@xyzmailpro.com</a> *After payment received, we will send private key to your IT department.!!!* *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* !!! We have downloaded all your files to our servers and will release data if you do not comply.!!! !!! Do not attempt to decrypt your data using third-party software, this will result in permanent data loss.!!!</body></html>

Emails

href="mailto:decryptorsoftware@xyzmailpro.com">decryptorsoftware@xyzmailpro.com</a>

URLs

http-equiv="X-UA-Compatible"

Signatures

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SetRemove.raw => C:\Users\Admin\Pictures\SetRemove.raw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\StepResume.crw => C:\Users\Admin\Pictures\StepResume.crw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\ConfirmConvert.tif => C:\Users\Admin\Pictures\ConfirmConvert.tif.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Users\Admin\Pictures\ReadHide.tiff	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\RestoreStart.tif => C:\Users\Admin\Pictures\RestoreStart.tif.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeStep.tiff	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\ReadHide.tiff => C:\Users\Admin\Pictures\ReadHide.tiff.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\RedoUnlock.tif => C:\Users\Admin\Pictures\RedoUnlock.tif.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\InvokeStep.tiff => C:\Users\Admin\Pictures\InvokeStep.tiff.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\MeasureInstall.tif => C:\Users\Admin\Pictures\MeasureInstall.tif.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\RestoreOut.raw => C:\Users\Admin\Pictures\RestoreOut.raw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\StepSwitch.png => C:\Users\Admin\Pictures\StepSwitch.png.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\UninstallProtect.raw => C:\Users\Admin\Pictures\UninstallProtect.raw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectSkip.tiff	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\ConnectSkip.tiff => C:\Users\Admin\Pictures\ConnectSkip.tiff.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\DisconnectNew.png => C:\Users\Admin\Pictures\DisconnectNew.png.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Drops startup file 1 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\preloaded_data.pb	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\PREVIEW.GIF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mr.pak	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\selector.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\StepInitialize.vdw	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

pid	process
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1860	WMIC.exe
Token: SeSecurityPrivilege	1860	WMIC.exe
Token: SeTakeOwnershipPrivilege	1860	WMIC.exe
Token: SeLoadDriverPrivilege	1860	WMIC.exe
Token: SeSystemProfilePrivilege	1860	WMIC.exe
Token: SeSystemtimePrivilege	1860	WMIC.exe
Token: SeProfSingleProcessPrivilege	1860	WMIC.exe
Token: SeIncBasePriorityPrivilege	1860	WMIC.exe
Token: SeCreatePagefilePrivilege	1860	WMIC.exe
Token: SeBackupPrivilege	1860	WMIC.exe
Token: SeRestorePrivilege	1860	WMIC.exe
Token: SeShutdownPrivilege	1860	WMIC.exe
Token: SeDebugPrivilege	1860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1860	WMIC.exe
Token: SeRemoteShutdownPrivilege	1860	WMIC.exe
Token: SeUndockPrivilege	1860	WMIC.exe
Token: SeManageVolumePrivilege	1860	WMIC.exe
Token: 33	1860	WMIC.exe
Token: 34	1860	WMIC.exe
Token: 35	1860	WMIC.exe
Token: 36	1860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1860	WMIC.exe
Token: SeSecurityPrivilege	1860	WMIC.exe
Token: SeTakeOwnershipPrivilege	1860	WMIC.exe
Token: SeLoadDriverPrivilege	1860	WMIC.exe
Token: SeSystemProfilePrivilege	1860	WMIC.exe
Token: SeSystemtimePrivilege	1860	WMIC.exe
Token: SeProfSingleProcessPrivilege	1860	WMIC.exe
Token: SeIncBasePriorityPrivilege	1860	WMIC.exe
Token: SeCreatePagefilePrivilege	1860	WMIC.exe
Token: SeBackupPrivilege	1860	WMIC.exe
Token: SeRestorePrivilege	1860	WMIC.exe
Token: SeShutdownPrivilege	1860	WMIC.exe
Token: SeDebugPrivilege	1860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1860	WMIC.exe
Token: SeRemoteShutdownPrivilege	1860	WMIC.exe
Token: SeUndockPrivilege	1860	WMIC.exe
Token: SeManageVolumePrivilege	1860	WMIC.exe
Token: 33	1860	WMIC.exe
Token: 34	1860	WMIC.exe
Token: 35	1860	WMIC.exe
Token: 36	1860	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.execmd.exe

description	pid	process	target process
PID 5016 wrote to memory of 4300	5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 5016 wrote to memory of 4300	5016	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 4300 wrote to memory of 1860	4300	cmd.exe	WMIC.exe
PID 4300 wrote to memory of 1860	4300	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
"C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8E5A4D4-6E8F-4ECA-830A-CA63F6A2AC4B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8E5A4D4-6E8F-4ECA-830A-CA63F6A2AC4B}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-133-0x0000000000000000-mapping.dmp

Download
memory/4300-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads