9e1d9504f01849014affc783aa1a47989897016e9c676b027ff23a803a37447d

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/10/2023, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
Size

138KB
MD5

254df705ae1572e5bb33fdf9bdd38bb6
SHA1

3d40b40f626cae4d3499e72288cfdfe409df72ac
SHA256

17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd
SHA512

60ba12b65eca7387733707eb27a39c076e9a0d3945555638262030b3bd32e8dd1d584ec59bcce26d96ef217f08a06c582289914229c19ad857ddde789474bf17
SSDEEP

3072:MbvdlTga8za7/aApO6fCR6kMgoXpOpo7KqXd4ljqEJSfMKRuF2f0xsxT626f/GAo:MDppOabdUj1J+MKRaKPLAm3zRd

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\README ELECTRONIC.txt

Ransom Note

Electronic Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@mgam161 Your Decryption ID: 142B4BFB2B4FD9BD

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (9322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened (read-only)	\??\D:	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File created	C:\Program Files (x86)\Google\Update\Install\README ELECTRONIC.txt	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\README ELECTRONIC.txt	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\README ELECTRONIC.txt	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORES.DLL.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\psuser.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10335_.GIF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\README ELECTRONIC.txt	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\README ELECTRONIC.txt	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2152	vssadmin.exe
2664	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2332	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	29
PID 1728 wrote to memory of 2332	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	29
PID 1728 wrote to memory of 2332	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	29
PID 1728 wrote to memory of 2332	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	29
PID 2332 wrote to memory of 2664	2332	cmd.exe	31
PID 2332 wrote to memory of 2664	2332	cmd.exe	31
PID 2332 wrote to memory of 2664	2332	cmd.exe	31
PID 1728 wrote to memory of 2384	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	37
PID 1728 wrote to memory of 2384	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	37
PID 1728 wrote to memory of 2384	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	37
PID 1728 wrote to memory of 2384	1728	17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe	37
PID 2384 wrote to memory of 2152	2384	cmd.exe	39
PID 2384 wrote to memory of 2152	2384	cmd.exe	39
PID 2384 wrote to memory of 2152	2384	cmd.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
"C:\Users\Admin\AppData\Local\Temp\17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\README ELECTRONIC.txt

Filesize
424B

MD5
771c185bef12d25590f660e626f75c8d

SHA1
58b5ba8fdfe8536324ee29f1db014a8011b9c665

SHA256
64d1a92068aa43e8d666a9f06984975287af4f879a841cbff2e6e2777c1386e6

SHA512
db4e6515a47c4782222c178af8fa67be37cc7d4cdb2add717cc347f9e6ab45b78da934d358384f8bc46573ab803c5133158f26ab22606eac07d6de238049cad6

Download Submit