Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01/10/2023, 14:00
Static task
static1
Behavioral task
behavioral1
Sample
17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
Resource
win10v2004-20230915-en
General
-
Target
17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe
-
Size
138KB
-
MD5
254df705ae1572e5bb33fdf9bdd38bb6
-
SHA1
3d40b40f626cae4d3499e72288cfdfe409df72ac
-
SHA256
17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd
-
SHA512
60ba12b65eca7387733707eb27a39c076e9a0d3945555638262030b3bd32e8dd1d584ec59bcce26d96ef217f08a06c582289914229c19ad857ddde789474bf17
-
SSDEEP
3072:MbvdlTga8za7/aApO6fCR6kMgoXpOpo7KqXd4ljqEJSfMKRuF2f0xsxT626f/GAo:MDppOabdUj1J+MKRaKPLAm3zRd
Malware Config
Extracted
C:\ProgramData\README ELECTRONIC.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened (read-only) \??\D: 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File created C:\Program Files (x86)\Google\Update\Install\README ELECTRONIC.txt 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\dnsns.jar.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\README ELECTRONIC.txt 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\README ELECTRONIC.txt 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORES.DLL.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\psuser.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jre7\lib\psfontj2d.properties.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10335_.GIF.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\README ELECTRONIC.txt 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\README ELECTRONIC.txt 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.EMAIL=[[email protected]]ID=[142B4BFB2B4FD9BD].ELCTRONIC 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2152 vssadmin.exe 2664 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2840 vssvc.exe Token: SeRestorePrivilege 2840 vssvc.exe Token: SeAuditPrivilege 2840 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2332 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 29 PID 1728 wrote to memory of 2332 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 29 PID 1728 wrote to memory of 2332 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 29 PID 1728 wrote to memory of 2332 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 29 PID 2332 wrote to memory of 2664 2332 cmd.exe 31 PID 2332 wrote to memory of 2664 2332 cmd.exe 31 PID 2332 wrote to memory of 2664 2332 cmd.exe 31 PID 1728 wrote to memory of 2384 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 37 PID 1728 wrote to memory of 2384 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 37 PID 1728 wrote to memory of 2384 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 37 PID 1728 wrote to memory of 2384 1728 17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe 37 PID 2384 wrote to memory of 2152 2384 cmd.exe 39 PID 2384 wrote to memory of 2152 2384 cmd.exe 39 PID 2384 wrote to memory of 2152 2384 cmd.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe"C:\Users\Admin\AppData\Local\Temp\17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2152
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424B
MD5771c185bef12d25590f660e626f75c8d
SHA158b5ba8fdfe8536324ee29f1db014a8011b9c665
SHA25664d1a92068aa43e8d666a9f06984975287af4f879a841cbff2e6e2777c1386e6
SHA512db4e6515a47c4782222c178af8fa67be37cc7d4cdb2add717cc347f9e6ab45b78da934d358384f8bc46573ab803c5133158f26ab22606eac07d6de238049cad6