7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 17:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Size

151KB
MD5

31ed39e13ae9da7fa610f85b56838dde
SHA1

ff602997ce7bdd695a282bd373daf57bea7a051f
SHA256

7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f
SHA512

199d70b70636555fbe753e83662cc672b5b06428050229856e9912488037cb4dae34a0766c3fcc560afd8fb07a4dcb5cfd8435a0fe3db86484a7929218cab5ee
SSDEEP

3072:lAMP+TYgJWo6QD6ivAFvvYknplbZVaX6TEQZwRNfysqdoTPwum3n:OZNMnQFvM/lbbHTFZw/fLm3n

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (7135) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\X:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\G:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\O:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\D:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\A:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\E:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\S:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\U:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\I:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\J:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\M:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\T:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\Y:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\Z:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\W:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\H:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\K:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\N:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\Q:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\F:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\B:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\L:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\P:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened (read-only)	\??\R:	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-200.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\CYLANCE_README.txt	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\32.jpg	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-300.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.ps1	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File created	C:\Program Files (x86)\Microsoft.NET\CYLANCE_README.txt	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-200.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\CYLANCE_README.txt	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-400.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\3DViewerProductDescription-universal.xml	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7_thumb.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-150.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-200.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\plugin.js.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\ui-strings.js.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_cn_135x40.svg	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-200.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-300.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_auditreport_18.svg	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_BillPay.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\5.rsrc	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\CYLANCE_README.txt	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\resources.pri	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.Cylance	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-400.png	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\CYLANCE_README.txt	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2268	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeRestorePrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeBackupPrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeTakeOwnershipPrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeAuditPrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeSecurityPrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeIncBasePriorityPrivilege	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
Token: SeBackupPrivilege	5052	vssvc.exe
Token: SeRestorePrivilege	5052	vssvc.exe
Token: SeAuditPrivilege	5052	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 3080	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe	90
PID 2608 wrote to memory of 3080	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe	90
PID 2608 wrote to memory of 3080	2608	7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe	90
PID 3080 wrote to memory of 2268	3080	cmd.exe	92
PID 3080 wrote to memory of 2268	3080	cmd.exe	92
PID 3080 wrote to memory of 2268	3080	cmd.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe
"C:\Users\Admin\AppData\Local\Temp\7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CYLANCE_README.txt

Filesize
1KB

MD5
32ed1a322313315a29386ba2cffd8079

SHA1
839f482a0d3cb840cfe156785964cbc7a49df01b

SHA256
2c86c61081632759b94c6ab42ca4b780e626667ecf8cc834b63405bcf5f05d18

SHA512
e8983ea278d8cdeaeb51bb44eafee9d6494cea2f47406e3fb8828d9e33111af084fac39fa253758635bcdbf51e4da176c791d79aa27099dab8c6d75d6991e2fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
13KB

MD5
c9d316cb9972e9b0270884903377b574

SHA1
81d1eedfd992649eb8f35916dc1f9e08e22de625

SHA256
4f5546c9c6a49f96cb8fcf0a25856301f2d9625378b55c418b6aa658e5154018

SHA512
f70018b497e1a2f00537825f34db3f9b8312cfe5bd6458eebc6443c4e04b50039d106ccb33925457c9867242d039307428e810e7b274ee6457eb2be2b3295e21

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
13KB

MD5
89d94decf03187f66e87c6c7d9b24df8

SHA1
3d1bf61341dc7e293949a097b56d9ad8d8c74c2c

SHA256
879920ab5c99e912b6f2f1905c5e8b6cf08c84f35048980ecf39ba250b22afbc

SHA512
2b1ad3bca5f10bf15bc4da762c43295db5a1372d0c6de5a24a948f875c08a100d1f09ffcdd5dd6322767adf96fcf7ce2c07298d141a3fc60ddec19dfedb2f758

Download Submit