globeimposter | 22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
Size

220KB
MD5

0f79c1cda4b2f9230203cf1def2a9d02
SHA1

609d9c995e7d1f657d56e12c388234d76bffcb83
SHA256

22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a
SHA512

631381caeb6598ac284f0bacba3d840496a571db1573c4550ece8a2414a3c76291e0aa160b7ce38a31ce22eb34a8ccbd12b44c46f7bf10bb7e3221f77a747d3c
SSDEEP

3072:RguO56UGXss77V+Vau63bPuezMXBNLhy1njptnwk84Xpc5I:FUGFWauaIB5hyNjUkC5I

Score

10^/10

globeimposter defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Renames multiple (9086) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Clears Network RDP Connection History and Configurations 1 TTPs 2 IoCs

Remove evidence of malicious network connections to clean up operations traces.

defense_evasion

Clear Network Connection History and Configurations

T1070.007

pid	Process
1980	reg.exe
4004	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe"	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vcruntime140_1_app.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_40x40x32.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\ui-strings.js	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80_altform-lightunplated.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\msproof7imm.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-336.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\3DViewerProductDescription-universal.xml	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_is.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\ui-strings.js	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-100.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-400.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.Controls.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-fullcolor.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-200.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Wood.dxt	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-125.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-400.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\Read___ME.html	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-250.png	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3296	2028	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2720	2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe	94
PID 2028 wrote to memory of 2720	2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe	94
PID 2028 wrote to memory of 2720	2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe	94
PID 2720 wrote to memory of 1980	2720	cmd.exe	96
PID 2720 wrote to memory of 1980	2720	cmd.exe	96
PID 2720 wrote to memory of 1980	2720	cmd.exe	96
PID 2720 wrote to memory of 4004	2720	cmd.exe	97
PID 2720 wrote to memory of 4004	2720	cmd.exe	97
PID 2720 wrote to memory of 4004	2720	cmd.exe	97
PID 2720 wrote to memory of 4576	2720	cmd.exe	98
PID 2720 wrote to memory of 4576	2720	cmd.exe	98
PID 2720 wrote to memory of 4576	2720	cmd.exe	98
PID 2720 wrote to memory of 4500	2720	cmd.exe	99
PID 2720 wrote to memory of 4500	2720	cmd.exe	99
PID 2720 wrote to memory of 4500	2720	cmd.exe	99
PID 2028 wrote to memory of 5056	2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe	100
PID 2028 wrote to memory of 5056	2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe	100
PID 2028 wrote to memory of 5056	2028	22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe	100

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe
"C:\Users\Admin\AppData\Local\Temp\22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp49EB.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    - Clears Network RDP Connection History and Configurations
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    - Clears Network RDP Connection History and Configurations
    - System Location Discovery: System Language Discovery
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\Windows\SysWOW64\attrib.exe
    attrib Default.rdp -s -h
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\22abc470d761ac7d46b0b9febe33b6c3801f3d6df1e2ecac071b78247f38dc8a.exe > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1088
  2⤵
  - Program crash
  PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2028 -ip 2028
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

Clear Network Connection History and Configurations

T1070.007

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini

Filesize
1KB

MD5
2ee87933f97f70d70d5f4b1930adb9f7

SHA1
617d284e389972df13ab764bb01d6b4be2210d03

SHA256
d54e9ec82b026aa99b5d6245e5d62a80df86b71dfca8c0882dc599e6fb15d177

SHA512
7eb9ea530a34f80e57035a45f619b6baebe5e7869900c9f2ef95be3b6734109db5439de30bd2e4803665bfa838d383f5a1f55e639abccdd294ae19fecd4fce07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49EB.tmp.bat

Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\Read___ME.html

Filesize
4KB

MD5
6a0d15f3522829983076db5bf40f0e2f

SHA1
b7113eda2631d71fd56a4bb7bb83fe85bb975666

SHA256
73139a465cdf0e14b90fa95e0598cae252712a33102e25de515335612765252c

SHA512
f7af99cf5deb1a5a58613154101d9530105ddf94e49621d3a20ace358500e72feeaacb225c365ddb760afed108d7f6a300be48cdfb56aa9f48cec797b7e90bda

Download Submit
memory/2028-1-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/2028-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2028-1072-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-4172-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/2028-4727-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download