a18009600efc1859dd0116564bed3888d21fb9290d7298a093d747b621427da3

Analysis

max time kernel
79s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
Size

138KB
MD5

7c055e203155b749a047987736400bfc
SHA1

17f48b45920e1f3e6581e60b0ed346b5770e8363
SHA256

60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21
SHA512

8bccbac3f0e761ef19c7a97e7474ac9dc68ac58d4bdfbe095a4778400d2655b2a98d70c301c47f7cb072e77b3e3fde07a0c9a39c151908be5f7c47e1d5f24cb7
SSDEEP

3072:UPgv1uTga8za7/aApO6fCR6kMgNjTX8jI8VD/dJJO04aN5uvvmRE7xIxT62Br09Q:oKZTMPVDdzR1N5sAxBN9dRd

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (10758) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened (read-only)	\??\D:	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.svg.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\mso.acl	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-400_contrast-white.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\194.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected.svg.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.js	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_da.dll.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-125.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files\Microsoft Office\root\Templates\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-125.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\AppxBundleManifest.xml	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-black.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30_altform-unplated.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\MedTile.scale-125.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dll.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_scan_logo.svg.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-100.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7ce.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_contrast-white.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_da.dll	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-100_contrast-black.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\ui-strings.js	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hr.dll	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoBeta.png.DATA	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\FILE ENCRYPTED.txt	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js.EMAIL=[[email protected]]ID=[1730E6121CD87855].elibe	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
704	vssadmin.exe
4128	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 4852	4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe	86
PID 4176 wrote to memory of 4852	4176	60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe	86
PID 4852 wrote to memory of 4128	4852	cmd.exe	88
PID 4852 wrote to memory of 4128	4852	cmd.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
"C:\Users\Admin\AppData\Local\Temp\60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2320
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FILE ENCRYPTED.txt

Filesize
334B

MD5
e4f855abc55b2bf304a66216e13c5ad8

SHA1
d72d90394f74a14a6cb27814a45575a322462fce

SHA256
e75a145c45cb21c0fa7df0b323b80a49e9e4cf4fe3901461fe521aa52e5ea87c

SHA512
85ff88a7a2a7a1d35c873e04084964b5ab74784144dfaca4c57b929ceddb8c6ecda5996877d95658544788b76d0dd98c218361c8884801672d93f81f6db087f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
ab7ad3ba9ce406f024d67bbf719ea270

SHA1
ad3b8ff15db4d06439fba2fae4f14759aa3442fd

SHA256
23e81fa178f76252bc762c13875c31d481332ff6c948fd19d05938015de55a1a

SHA512
023fd9a530564213490a17d618087d3cdead08bc7a000dcde248e61d20d02569837c3e85f0a08a19a083279e87d5ccd43c34151649e598ff94b0ac29fa0d510e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
9092019a4cb93f3b4e00bf6431c5a347

SHA1
68a90e4e16c7c027cd0a46ac7b7172bcc9c19baa

SHA256
223ccdbe8607265d53bb0467e367b13071388488b33c630f926725e517564ace

SHA512
eb1d6361d680050ff9b29edae07a584a55f0350cbeb12cf4476be21bd4dc80784e2989a7ca86cebfe00b6db9bc17115d239edb4e26b24aef136020ccc3f5248f

Download Submit