09c91862d6e40c74f6edc233440b5f691d498ede6fb00bb43d309ca24e4e67b9

Analysis

max time kernel
837s
max time network
844s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
Size

268KB
MD5

4e2b58f99ad9f13c2b09f0741739775d
SHA1

6a51d0cd9ea189babad031864217ddd3a7ddba84
SHA256

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b
SHA512

dd74f94fbe6324410e832ab22b2807bbc5bc4171704477898a2b64a1ce6a7b3a289a4fb399412152b33a6b286e439c8d89eca4d5cba7bcd65dcb864e18487ebd
SSDEEP

3072:gfLB0w+Wv5pa/Dc/nuOL23e8aoeE+aqfnfj59AEYfzaBUGm+0lh831QPfrwV6cFK:+TgenuOLCL+559AEq+m+jmEIcFaNtN

Score

9^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Clears Network RDP Connection History and Configurations 1 TTPs 4 IoCs
Remove evidence of malicious network connections to clean up operations traces.
defense_evasion

Clear Network Connection History and Configurations
T1070.007

Processes:

reg.exereg.exereg.exereg.exe

pid process

2928 reg.exe
2856 reg.exe
2568 reg.exe
2000 reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1484 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2928	reg.exe
2856	reg.exe
2568	reg.exe
2000	reg.exe

pid	process
1484	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck = "C:\\Users\\Public\\72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe"	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

Drops desktop.ini file(s) 38 IoCs

Processes:

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

description	ioc	process
File opened for modification	C:\Users\Public\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

description	pid	process	target process
PID 2656 set thread context of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

Drops file in Program Files directory 64 IoCs

Processes:

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185670.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnPPT.dll	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\RECOVER-FILES.html	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00391_.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\RECOVER-FILES.html	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\RECOVER-FILES.html	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\accessibility.properties	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01629_.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\RECOVER-FILES.html	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ko.properties	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.exeattrib.exereg.exe72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.execmd.exereg.exeattrib.exereg.exereg.execmd.exereg.exe72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.execmd.exevssadmin.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

1984 vssadmin.exe
2500 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

pid process

2484 72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2980 vssvc.exe
Token: SeRestorePrivilege 2980 vssvc.exe
Token: SeAuditPrivilege 2980 vssvc.exe

pid	process
1984	vssadmin.exe
2500	vssadmin.exe

pid	process
2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

description	pid	process
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.execmd.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2656 wrote to memory of 2484	2656	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
PID 2484 wrote to memory of 2060	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 2060	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 2060	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 2060	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2060 wrote to memory of 2500	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2500	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2500	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2500	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 2856	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2856	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2856	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2856	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2568	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2568	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2568	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2568	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2584	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2584	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2584	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2584	2060	cmd.exe	reg.exe
PID 2060 wrote to memory of 2636	2060	cmd.exe	attrib.exe
PID 2060 wrote to memory of 2636	2060	cmd.exe	attrib.exe
PID 2060 wrote to memory of 2636	2060	cmd.exe	attrib.exe
PID 2060 wrote to memory of 2636	2060	cmd.exe	attrib.exe
PID 2484 wrote to memory of 620	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 620	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 620	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 620	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 1484	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 1484	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 1484	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 2484 wrote to memory of 1484	2484	72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe	cmd.exe
PID 620 wrote to memory of 1984	620	cmd.exe	vssadmin.exe
PID 620 wrote to memory of 1984	620	cmd.exe	vssadmin.exe
PID 620 wrote to memory of 1984	620	cmd.exe	vssadmin.exe
PID 620 wrote to memory of 1984	620	cmd.exe	vssadmin.exe
PID 620 wrote to memory of 2000	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2000	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2000	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2000	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2928	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2928	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2928	620	cmd.exe	reg.exe
PID 620 wrote to memory of 2928	620	cmd.exe	reg.exe
PID 620 wrote to memory of 1436	620	cmd.exe	reg.exe
PID 620 wrote to memory of 1436	620	cmd.exe	reg.exe
PID 620 wrote to memory of 1436	620	cmd.exe	reg.exe
PID 620 wrote to memory of 1436	620	cmd.exe	reg.exe
PID 620 wrote to memory of 1908	620	cmd.exe	attrib.exe
PID 620 wrote to memory of 1908	620	cmd.exe	attrib.exe
PID 620 wrote to memory of 1908	620	cmd.exe	attrib.exe
PID 620 wrote to memory of 1908	620	cmd.exe	attrib.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2636 attrib.exe
1908 attrib.exe

pid	process
2636	attrib.exe
1908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
"C:\Users\Admin\AppData\Local\Temp\72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
  "C:\Users\Admin\AppData\Local\Temp\72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\__tF029.tmp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      Clears Network RDP Connection History and Configurations
      System Location Discovery: System Language Discovery
      PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      Clears Network RDP Connection History and Configurations
      System Location Discovery: System Language Discovery
      PID:2568
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib Default.rdp -s -h
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\__t24B1.tmp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1984
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      Clears Network RDP Connection History and Configurations
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      Clears Network RDP Connection History and Configurations
      System Location Discovery: System Language Discovery
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib Default.rdp -s -h
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c .bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

Clear Network Connection History and Configurations

T1070.007

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini

Filesize
1KB

MD5
5be15a115fb4cac961088201343d8305

SHA1
90bc7467b7959d378622c71be9f00948f91c2c85

SHA256
302d2be6c278204ae5091fbd17980826456641d94a031f01796d01fdf26008aa

SHA512
9680b0fcb6d1cb68cce151bd545d24877caefd7a09d9fcc8a51ea8274ba67607bfa0c7ed8df12f99ce1e613509f8dd4caad135f33e2f6502c295579653599a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\.bat

Filesize
256B

MD5
e0e7a234622905ee483a9a2ad7135333

SHA1
d3129978de0570f88ded2c6be3d952547e968c60

SHA256
668463de3ef9c95912d0d3bd3b367895201fc5ba5338dbd033368885e639b9c4

SHA512
e4cfc88019ed7d5de5747935b91938fac2660210bcf15ca7f739537cc0d519a61b8de6825c3df7b9010f188deab76ce1819ac857b0a3f25ecad521491c6dc28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__tF029.tmp.bat

Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\RECOVER-FILES.html

Filesize
4KB

MD5
388b7fff1cda149842c6bebb315a0436

SHA1
99ff909294a8482ba94f9ddeadc7afe8de9cc54a

SHA256
ac52e354109e524631f3894b27d9d81081ef0226e0805105b4de7cb7d9c7f2ab

SHA512
80a93ba95ef22b291785e84268babc2380c07a883256e7574d11e3218374d46e568b380f76b6ce076280b262e44b5a9acca55080974c5ddd12aa5f191c29865f

Download Submit
memory/2484-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2484-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2484-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2484-1632-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2484-18070-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2656-1-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download