60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17/09/2023, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
Size

138KB
MD5

7c055e203155b749a047987736400bfc
SHA1

17f48b45920e1f3e6581e60b0ed346b5770e8363
SHA256

60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21
SHA512

8bccbac3f0e761ef19c7a97e7474ac9dc68ac58d4bdfbe095a4778400d2655b2a98d70c301c47f7cb072e77b3e3fde07a0c9a39c151908be5f7c47e1d5f24cb7
SSDEEP

3072:UPgv1uTga8za7/aApO6fCR6kMgNjTX8jI8VD/dJJO04aN5uvvmRE7xIxT62Br09Q:oKZTMPVDdzR1N5sAxBN9dRd

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (9336) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened (read-only)	\??\F:	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.VN.XML	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS4BOXES.POC.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_ON.GIF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\PREVIEW.GIF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgzm.exe.mui.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File created	C:\Program Files\VideoLAN\VLC\skins\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CRT	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21495_.GIF	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2916	vssadmin.exe
2492	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2600	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	5
PID 2180 wrote to memory of 2600	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	5
PID 2180 wrote to memory of 2600	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	5
PID 2180 wrote to memory of 2600	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	5
PID 2600 wrote to memory of 2916	2600	cmd.exe	3
PID 2600 wrote to memory of 2916	2600	cmd.exe	3
PID 2600 wrote to memory of 2916	2600	cmd.exe	3
PID 2180 wrote to memory of 2584	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	38
PID 2180 wrote to memory of 2584	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	38
PID 2180 wrote to memory of 2584	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	38
PID 2180 wrote to memory of 2584	2180	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe	38
PID 2584 wrote to memory of 2492	2584	cmd.exe	40
PID 2584 wrote to memory of 2492	2584	cmd.exe	40
PID 2584 wrote to memory of 2492	2584	cmd.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21exe_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FILE ENCRYPTED.txt

Filesize
334B

MD5
e4f855abc55b2bf304a66216e13c5ad8

SHA1
d72d90394f74a14a6cb27814a45575a322462fce

SHA256
e75a145c45cb21c0fa7df0b323b80a49e9e4cf4fe3901461fe521aa52e5ea87c

SHA512
85ff88a7a2a7a1d35c873e04084964b5ab74784144dfaca4c57b929ceddb8c6ecda5996877d95658544788b76d0dd98c218361c8884801672d93f81f6db087f8

Download Submit