e566ee2189f830504af1cb787279111b7b2f3817a61a85bad8d9810701dd4877

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
Size

114KB
MD5

0af2e477464520e3599dc58deaef2741
SHA1

eff20e476c1f05198297f61df9013cc02aa8016b
SHA256

63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc
SHA512

83fea75f8038942571f177ceabac360d802692af704ecc6a2f9cb8436340be40d0a543c62dee3d61a2fc3ec656b68e8e68d7e60c5d757dcf60626f585fef6398
SSDEEP

1536:tV4aLxvCy9nFI8EuD6O9+CIWFyKy/awv2I8zEc+n1g5sWjcdnKPltJGDc/Nb92ba:Ey3bJ+Crn48cpnKNtJqcFZ6a

Score

9^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8635) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2504	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck = "C:\\Users\\Public\\63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe"	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe

Drops desktop.ini file(s) 38 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216858.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00350_.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\RECOVER-FILES-726.html	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\RECOVER-FILES-726.html	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\powerpnt.exe.manifest	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292270.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid.gif	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTES.ICO	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\RECOVER-FILES-726.html	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_is.dll	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\RECOVER-FILES-726.html	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\RECOVER-FILES-726.html	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NBOOK_01.MID	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Trek.eftx	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04108_.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00372_.WMF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143749.GIF	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2812	vssadmin.exe
2424	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3008	vssvc.exe
Token: SeRestorePrivilege	3008	vssvc.exe
Token: SeAuditPrivilege	3008	vssvc.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2804	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	30
PID 2696 wrote to memory of 2804	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	30
PID 2696 wrote to memory of 2804	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	30
PID 2696 wrote to memory of 2804	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	30
PID 2804 wrote to memory of 2812	2804	cmd.exe	32
PID 2804 wrote to memory of 2812	2804	cmd.exe	32
PID 2804 wrote to memory of 2812	2804	cmd.exe	32
PID 2804 wrote to memory of 2812	2804	cmd.exe	32
PID 2804 wrote to memory of 2980	2804	cmd.exe	34
PID 2804 wrote to memory of 2980	2804	cmd.exe	34
PID 2804 wrote to memory of 2980	2804	cmd.exe	34
PID 2804 wrote to memory of 2980	2804	cmd.exe	34
PID 2804 wrote to memory of 2104	2804	cmd.exe	35
PID 2804 wrote to memory of 2104	2804	cmd.exe	35
PID 2804 wrote to memory of 2104	2804	cmd.exe	35
PID 2804 wrote to memory of 2104	2804	cmd.exe	35
PID 2804 wrote to memory of 2988	2804	cmd.exe	36
PID 2804 wrote to memory of 2988	2804	cmd.exe	36
PID 2804 wrote to memory of 2988	2804	cmd.exe	36
PID 2804 wrote to memory of 2988	2804	cmd.exe	36
PID 2804 wrote to memory of 1300	2804	cmd.exe	37
PID 2804 wrote to memory of 1300	2804	cmd.exe	37
PID 2804 wrote to memory of 1300	2804	cmd.exe	37
PID 2804 wrote to memory of 1300	2804	cmd.exe	37
PID 2696 wrote to memory of 1448	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	39
PID 2696 wrote to memory of 1448	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	39
PID 2696 wrote to memory of 1448	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	39
PID 2696 wrote to memory of 1448	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	39
PID 2696 wrote to memory of 2504	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	41
PID 2696 wrote to memory of 2504	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	41
PID 2696 wrote to memory of 2504	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	41
PID 2696 wrote to memory of 2504	2696	63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe	41
PID 1448 wrote to memory of 2424	1448	cmd.exe	43
PID 1448 wrote to memory of 2424	1448	cmd.exe	43
PID 1448 wrote to memory of 2424	1448	cmd.exe	43
PID 1448 wrote to memory of 2424	1448	cmd.exe	43
PID 1448 wrote to memory of 2164	1448	cmd.exe	44
PID 1448 wrote to memory of 2164	1448	cmd.exe	44
PID 1448 wrote to memory of 2164	1448	cmd.exe	44
PID 1448 wrote to memory of 2164	1448	cmd.exe	44
PID 1448 wrote to memory of 1308	1448	cmd.exe	45
PID 1448 wrote to memory of 1308	1448	cmd.exe	45
PID 1448 wrote to memory of 1308	1448	cmd.exe	45
PID 1448 wrote to memory of 1308	1448	cmd.exe	45
PID 1448 wrote to memory of 1500	1448	cmd.exe	46
PID 1448 wrote to memory of 1500	1448	cmd.exe	46
PID 1448 wrote to memory of 1500	1448	cmd.exe	46
PID 1448 wrote to memory of 1500	1448	cmd.exe	46
PID 1448 wrote to memory of 2116	1448	cmd.exe	47
PID 1448 wrote to memory of 2116	1448	cmd.exe	47
PID 1448 wrote to memory of 2116	1448	cmd.exe	47
PID 1448 wrote to memory of 2116	1448	cmd.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1300	attrib.exe
2116	attrib.exe

C:\Users\Admin\AppData\Local\Temp\63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
"C:\Users\Admin\AppData\Local\Temp\63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\__t26F1.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\attrib.exe
    attrib Default.rdp -s -h
    3⤵
    - Views/modifies file attributes
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\__t955E.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\attrib.exe
    attrib Default.rdp -s -h
    3⤵
    - Views/modifies file attributes
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c .bat
  2⤵
  - Deletes itself
  PID:2504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini

Filesize
1KB

MD5
bfd6155cad6649560214389907c68bb9

SHA1
57bb1399b6b2706135c60ffa14c3129588a9309c

SHA256
4ac8fe723a3213c18cda642a6b5f725778448d77d2c8ce30770c247c42e4ee71

SHA512
635970831d125f68bd42f2c4e1629f7e2666330e39a36750ced0ea062a386437a06b000b991405f11be1fd7650eb07304e4ab15a4447fe8e339db3a5293336e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.bat

Filesize
256B

MD5
c339578d9d74d46b5a47a60d03aae3db

SHA1
0e518c1e3e08b811e26e7ea03dc9600c1dbb09f6

SHA256
be9c75b14032f33ed33ec165ddb4d7f50dda04017911e56ab3591eeef0022e75

SHA512
9ed386de89742b1d7dd65b42394fab747f3e369c305c4de817b3a9f1f6952bdbec91b22d5642c8687a8f9e32ce3f67adf6f69c41981586d2df53feb021c69ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__t26F1.tmp.bat

Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\RECOVER-FILES-726.html

Filesize
4KB

MD5
3d280a62173c1d667a5a2c2d1eaff6ad

SHA1
23c22294e5666367a3cfb124d09478ac737c1ae6

SHA256
11c440f270d7568dbcf987344eecf628d025b8b1e02f2f83e348f6d6373c86c0

SHA512
be997c206092d67f31b46b3d954ffa8388c6d83745da821c67013ea84a0d095750761767476304116afb4d5a122a6eec596b3f97674c04811fb84d38699ba5a8

Download Submit