2c9f4b12528c5fe7f63dfd2726b7a4e2ad8d20040c4fa3c4c024cc88b5e84e06

General

Target

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Size

162KB
MD5

7e851829ee37bc0cf65a268d1d1baa7a
SHA1

672553c79db2a3859a8ea216804d4ff8d2ded538
SHA256

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
SHA512

856c6d27669b3123064d85adbc119414f5418f80bbbc9f85f4575df97cf34d1f4ab96fab5442a337ac6a90c076ba5af835f5286cb403acfb3a1e4fc5d0834ebd
SSDEEP

3072:rjvNTtA6pzarOLgSua/iw6kzg3qe1PTjrnFFMVUT6tSTC6D1vtPR1DO66ddJpW3h:r72qe1PTjrnf/KMR1j6df01fiuAP3xFm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (349) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

description	ioc	process
File opened (read-only)	\??\H:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\N:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\W:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\A:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\M:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\T:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\U:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\V:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\X:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\Z:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\L:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\E:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\G:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\O:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\P:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\S:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\B:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\I:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\J:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\K:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\Q:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\R:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\Y:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
File opened (read-only)	\??\F:	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

Drops file in System32 directory 1 IoCs

Processes:

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

description ioc process

File created C:\Windows\system32\spool\PRINTERS\00002.SPL eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg"	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
Token: SeTakeOwnershipPrivilege	1948	eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

C:\Users\Admin\AppData\Local\Temp\eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
"C:\Users\Admin\AppData\Local\Temp\eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

F:\README.txt

Filesize
423B

MD5
7ff94943cdf15452a094e7a8587755b6

SHA1
663d82d423fd075b4c87e6428e9c2556c474b88e

SHA256
6497c4ac3c3c1dc3fa0405571007a21ae4cecb7cc7cc170c4ad17f683a6118a5

SHA512
da91f22c6c9fd4f25a5bc6be74c2dbf1b4d886af97d6dba49de12bef6f9d511b7cd834bae1851a5b4057b665353b2d6b802c5c45076ca5af94827db2ef2028ef

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads