targetcompany | 2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Size

478KB
MD5

9f908f344ec041cc1ebe5324da2cf183
SHA1

ec06c0d4c38acdd61e2bf940ae70b98a4661a08a
SHA256

2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc
SHA512

494d4184e6e31af9b5dc04fcd807456899f789069b487e7a7e56b2d9dbba2f47427b1c477ceab454713a1b380d155fe1396ddc9d93e966755941668588d16c17
SSDEEP

6144:20wmbI4/D4SHvrxw6zaIST1w9wEPDasWxxsBhS37b8o6XCFyPwCMa6ynkxq/y:Vzv66zaISTW9asWxxAh4IlXC4PUyMq/

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Ransom Note

Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: A4E8456839F8D7CFB12A99AA 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion �

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3932	bcdedit.exe
2280	bcdedit.exe

Renames multiple (6530) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\P:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\R:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\T:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\W:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\Z:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\A:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\M:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\U:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\Y:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\E:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\I:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\G:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\K:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\Q:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\S:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\V:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\D:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\B:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\L:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\O:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\X:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\H:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened (read-only)	\??\J:	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\ui-strings.js	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200_contrast-white.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-60.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ui-strings.js	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.targetsize-24_altform-unplated.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-100.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-200.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-white.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\icudtl.dat.DATA	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightMail_2017-09.gif	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-100.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-black.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_store.targetsize-48.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated_contrast-black.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-250.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24_altform-unplated.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-40.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40.png	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\HOW TO BACK FILES.txt	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeDebugPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
Token: SeTakeOwnershipPrivilege	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3704	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe	92
PID 2224 wrote to memory of 3704	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe	92
PID 2224 wrote to memory of 4548	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe	94
PID 2224 wrote to memory of 4548	2224	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe	94
PID 3704 wrote to memory of 3932	3704	cmd.exe	98
PID 3704 wrote to memory of 3932	3704	cmd.exe	98
PID 4548 wrote to memory of 2280	4548	cmd.exe	99
PID 4548 wrote to memory of 2280	4548	cmd.exe	99

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe

C:\Users\Admin\AppData\Local\Temp\2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe
"C:\Users\Admin\AppData\Local\Temp\2f5fac1ababd213d8010eda9ccb5320f25fd0f2e95bb86154bf7e8bcad6fc4dc.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b783ffe3.pri

Filesize
2KB

MD5
ef7e03ef3a99c35cce2be834c60ac65a

SHA1
db465748d93e47f7953df29f8dd0ec5d765cf363

SHA256
90de708134021605a84d1f541b091c475df56804149f5676f5327609967d6860

SHA512
246fa71f20edf2b8af4c003ba92405371e4c5c2f07082a325a0f705d85ac6ee27108a9cc4cd8624017f1f9be437ff8a6dc9c0e8888b05d68ce4064ab92b90326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YRVVION\00I0GQJO.txt

Filesize
12B

MD5
8cf4dec152a9d79a3d62202b886eda9b

SHA1
0c1b3d3d02c0b655aa3526a58486b84872f18cc2

SHA256
c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

SHA512
a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Download Submit
\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Filesize
910B

MD5
2337a7e24e872b05acfac2dfc7573937

SHA1
767c247cc58e1dc1e4c47f4074e917cf22c44623

SHA256
a0116cc816a5fb4b764280da7cdb93e10e5bfc043e1dcbf78a7a3c7f67e53605

SHA512
85a2cbc2f351fe7dae8af87ff6307bb466c255aa7122e8b8bd44192b5ae15e1e0a37de13621a871b21ca2f96c97d02ac614e8a6b2ad8dd5fa301c6ff2eaed88d

Download Submit