Analysis
-
max time kernel
17s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 15:06
Static task
static1
Behavioral task
behavioral1
Sample
215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
Resource
win7-20240215-en
Behavioral task
behavioral5
Sample
f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
Resource
win7-20240221-en
General
-
Target
8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe
-
Size
362KB
-
MD5
7fefb77a270715166ddd1e323695a9bd
-
SHA1
a8bf6a35a9605932332d44ff6983a83febb0b99f
-
SHA256
8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788
-
SHA512
de27be7ce7bc5443f0117d0cf0ec9e02266339a23c07a966baa741cd736d3539c7806801186fe3a940f843da4b0b4ebbd55e8c50d6c32c760ef578b17f48b121
-
SSDEEP
6144:XW8Abuyx83ECgS8DBN8+betvD0tU0qOixjuxduaZ2YjkwEL/S:m8uxp9C+SqiyduMzkwEr
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\license.rtf 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Windows\SysWOW64\locationnotificationsview.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Casual.css 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Program Files\Internet Explorer\Timeline.cpu.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderSchema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\LocalizedData.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\LocalizedData.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Windows\Web\Wallpaper\Characters\img19.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Logic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallPersistSqlState.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\de\Tracking_Logic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\de\Tracking_Schema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallMembership.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\ja\DropSqlPersistenceProviderSchema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1031\eula.rtf 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\es\DropSqlPersistenceProviderLogic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallCommon.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallCommon.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\SqlPersistenceService_Schema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\error.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallWebEventSqlProvider.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\default.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\es\SqlPersistenceProviderSchema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\LocalizedData.xml 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderLogic.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\ja\SqlPersistenceProviderSchema.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallRoles.sql 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1536 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe Token: 33 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe Token: SeIncBasePriorityPrivilege 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe Token: SeIncreaseQuotaPrivilege 1788 WMIC.exe Token: SeSecurityPrivilege 1788 WMIC.exe Token: SeTakeOwnershipPrivilege 1788 WMIC.exe Token: SeLoadDriverPrivilege 1788 WMIC.exe Token: SeSystemProfilePrivilege 1788 WMIC.exe Token: SeSystemtimePrivilege 1788 WMIC.exe Token: SeProfSingleProcessPrivilege 1788 WMIC.exe Token: SeIncBasePriorityPrivilege 1788 WMIC.exe Token: SeCreatePagefilePrivilege 1788 WMIC.exe Token: SeBackupPrivilege 1788 WMIC.exe Token: SeRestorePrivilege 1788 WMIC.exe Token: SeShutdownPrivilege 1788 WMIC.exe Token: SeDebugPrivilege 1788 WMIC.exe Token: SeSystemEnvironmentPrivilege 1788 WMIC.exe Token: SeRemoteShutdownPrivilege 1788 WMIC.exe Token: SeUndockPrivilege 1788 WMIC.exe Token: SeManageVolumePrivilege 1788 WMIC.exe Token: 33 1788 WMIC.exe Token: 34 1788 WMIC.exe Token: 35 1788 WMIC.exe Token: SeBackupPrivilege 992 vssvc.exe Token: SeRestorePrivilege 992 vssvc.exe Token: SeAuditPrivilege 992 vssvc.exe Token: SeIncreaseQuotaPrivilege 1788 WMIC.exe Token: SeSecurityPrivilege 1788 WMIC.exe Token: SeTakeOwnershipPrivilege 1788 WMIC.exe Token: SeLoadDriverPrivilege 1788 WMIC.exe Token: SeSystemProfilePrivilege 1788 WMIC.exe Token: SeSystemtimePrivilege 1788 WMIC.exe Token: SeProfSingleProcessPrivilege 1788 WMIC.exe Token: SeIncBasePriorityPrivilege 1788 WMIC.exe Token: SeCreatePagefilePrivilege 1788 WMIC.exe Token: SeBackupPrivilege 1788 WMIC.exe Token: SeRestorePrivilege 1788 WMIC.exe Token: SeShutdownPrivilege 1788 WMIC.exe Token: SeDebugPrivilege 1788 WMIC.exe Token: SeSystemEnvironmentPrivilege 1788 WMIC.exe Token: SeRemoteShutdownPrivilege 1788 WMIC.exe Token: SeUndockPrivilege 1788 WMIC.exe Token: SeManageVolumePrivilege 1788 WMIC.exe Token: 33 1788 WMIC.exe Token: 34 1788 WMIC.exe Token: 35 1788 WMIC.exe Token: 33 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe Token: SeIncBasePriorityPrivilege 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2820 wrote to memory of 672 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 30 PID 2820 wrote to memory of 672 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 30 PID 2820 wrote to memory of 672 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 30 PID 2820 wrote to memory of 672 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 30 PID 2820 wrote to memory of 2136 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 32 PID 2820 wrote to memory of 2136 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 32 PID 2820 wrote to memory of 2136 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 32 PID 2820 wrote to memory of 2136 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 32 PID 2820 wrote to memory of 2104 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 34 PID 2820 wrote to memory of 2104 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 34 PID 2820 wrote to memory of 2104 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 34 PID 2820 wrote to memory of 2104 2820 8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe 34 PID 672 wrote to memory of 1536 672 cmd.exe 36 PID 672 wrote to memory of 1536 672 cmd.exe 36 PID 672 wrote to memory of 1536 672 cmd.exe 36 PID 672 wrote to memory of 1536 672 cmd.exe 36 PID 2136 wrote to memory of 1788 2136 cmd.exe 37 PID 2136 wrote to memory of 1788 2136 cmd.exe 37 PID 2136 wrote to memory of 1788 2136 cmd.exe 37 PID 2136 wrote to memory of 1788 2136 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe"C:\Users\Admin\AppData\Local\Temp\8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:2104
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:992