48af861dbb90de2fc9c5de5506124bb42382e84eac75eb606eaf0bfcda0896af

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
Size

81KB
MD5

059ac4569026c1b74e541d98b6240574
SHA1

2a9c036ed1f2a86bec63ead2f2d2e6412faf6ada
SHA256

479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227
SHA512

3f9e1af50f94f9e7dcc938939588294271f31b0eec36497a83a380fa03bfbee44ca51a5dc4d04f440d0787df5c8406639ab8644d617d3cdec0de1b06385b5d0d
SSDEEP

1536:+eDgKdeWMHH5t1fzDhx6uEY5mZJtBtVa3hb7mS:rDHsHZt1LDeUyLVaE

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5820) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened (read-only)	\??\Z:	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\NotebookIconAnimation.ttf	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\161.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-unplated.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-200_contrast-black.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-lightunplated.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\BrushBump64.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_nb.json	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\heycortana_en-US.table	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-200.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_contrast-white.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-200.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-125_contrast-white.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-125.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-200.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxManifest.xml	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\fabric.min.css	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-200.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\README.TXT	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\officons.ttf	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2224	479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
Token: SeBackupPrivilege	3648	vssvc.exe
Token: SeRestorePrivilege	3648	vssvc.exe
Token: SeAuditPrivilege	3648	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe
"C:\Users\Admin\AppData\Local\Temp\479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\README.TXT

Filesize
1KB

MD5
e2bd1addcfe55f5b6ef72496beeaddf9

SHA1
3287c232fc34bdebb0744357807a33339d5547e6

SHA256
b720d5c1f063941d77082aecd8565e2ba8513a26c60e6737bb05b4789dfff5a0

SHA512
8b0a176d555f27e9fb6af0ad84114ab71d12ab8fda3d9a1720ed953c24168548fa0c85fa8e2e4d3001a7b64d6ada902128eacae63682b195813f2bd44a0bce88

Download Submit