b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
Size

2.3MB
MD5

66c6dfe570b7e10fc9b62614a6bb0476
SHA1

75ca6a5a47105af2855ace988f2e86fb8d54f56a
SHA256

b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13
SHA512

90659304debcbe88595c469e1846ff2f8544da480dcd75ba591079eabfa8e9cca9535f8f8130114f33f5c4317a95c735c26386bbd357a9451b9af2391762db54
SSDEEP

24576:w/F1XGA9DHYdqQiF/swJ0r6ck59yjFGWG04J2ksswOGpyCP5WfWr:w91XRlYdqxF/QU5EH6wOVCBW

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.imgur.com/DQ6FCxz.png

Signatures

Renames multiple (8750) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	1956	powershell.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
1804	powershell.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.png"	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-200.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-40.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-125.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ga.pak.DATA	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\View3d\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\ui-strings.js	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-200.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gu.pak.DATA	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymb.ttf	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96_altform-unplated.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gl.pak.DATA	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-125.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Nose.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-200.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-150.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaremr.dll.mui	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-400.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-250.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.ps1	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
File opened for modification	C:\Windows\R3ADM3.txt	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1956	powershell.exe
1956	powershell.exe
1804	powershell.exe
1804	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1956	4028	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe	92
PID 4028 wrote to memory of 1956	4028	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe	92
PID 4028 wrote to memory of 1804	4028	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe	94
PID 4028 wrote to memory of 1804	4028	b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe	94
PID 1804 wrote to memory of 4572	1804	powershell.exe	96
PID 1804 wrote to memory of 4572	1804	powershell.exe	96
PID 4572 wrote to memory of 4920	4572	csc.exe	97
PID 4572 wrote to memory of 4920	4572	csc.exe	97

C:\Users\Admin\AppData\Local\Temp\b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
"C:\Users\Admin\AppData\Local\Temp\b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgur.com/DQ6FCxz.png', 'C:\Users\Admin\AppData\Local\Temp\Wallpaper.png')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void Set(string path) { SystemParametersInfo(20, 0, path, 3); } }'; [Wallpaper]::Set('C:\Users\Admin\AppData\Local\Temp\Wallpaper.png')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1r43cwg2\1r43cwg2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7318.tmp" "c:\Users\Admin\AppData\Local\Temp\1r43cwg2\CSC9A4074BFE20C484798AA12EF3E3A3550.TMP"
      4⤵
      PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\R3ADM3.txt

Filesize
576B

MD5
f23030d9016bf550545665639ffe3329

SHA1
95195c349f6929832a1e7e3d1bd11ebfb2cbce1b

SHA256
747d06005c5539438076a0b5d3396727420aeb8c0c6348cd62324f530d0dde28

SHA512
6601c4e0af52ca5436dc12280813b0abd963a4ff1fa51af39a09d771b7898604205b74a12ad4597fa1970fc6477cae0b378887156130cf0c73a994c61924703b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1b164c20334d2b120239c8a413bff77

SHA1
cb072715128a694ec4702c2fec3e3b442774bb83

SHA256
b6b171bea81282c9bbbba9b04ec27338088021714d36a1d2a3e54888eab10913

SHA512
497c7ea85889a72be8253f8c4d1166a0702c425904fe416e557a990fc76df83b6ee59bf7e2ba5dbba2730178a589db6c36387d41ce7a52286208c30d33b3f062

Download Submit
C:\Users\Admin\AppData\Local\Temp\1r43cwg2\1r43cwg2.dll

Filesize
3KB

MD5
f6362aeb8b01618d20066f9e55f7131c

SHA1
d8936f2cd9b30bdd226f6174581da58ee698a204

SHA256
e963c27ce121fc67d486a7c6a32665fb2c6a268c8b2a17049b529b9d0a70f656

SHA512
b23a67cf7a52e0dc2e243ada46046635e5206664d4b7855f9c8341e5219c57ff285ef2d685331ecf1f307e297fd92479ea74f326fbe8b96ae500089d9b807a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7318.tmp

Filesize
1KB

MD5
654c670a1419f34c71b36fb1a42cdb85

SHA1
2b2cae872d4bf4093eb6af1d21018dea23c9d1d8

SHA256
8b5fb267095dc720c1b14217f39b230674db89d14ad14227c71d23c43846a7a3

SHA512
0fde44ca7119f8bcd5474e54648ca2377aea912bdcf99ddbb7223e9485c788764ac8285f80f716290a946fbb3f2707d140ac7b61c6bd198e744e4d0f18d6615a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwdhvqqo.kwf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1r43cwg2\1r43cwg2.0.cs

Filesize
312B

MD5
945a8245afef16ce6654338c6a4b1ab7

SHA1
165014157ca311751105fdf7c7c105a1a7b113a0

SHA256
331b27fcd961cc9e94bb774dfa7e1b8c5999d91f0f820924dc7c60a6610c1246

SHA512
d598cdb315ad50340efd7c52fd31ae9aef585281c3a384d84f1def0ce9782ac324087fede7c0b1157eea9b40c0fc3cbc650f646a9c93260efcfaf7bdf962be5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1r43cwg2\1r43cwg2.cmdline

Filesize
369B

MD5
a1f3064fd7591ae8bec428884d1981b2

SHA1
b93de86a8f3f3fb944f082a211e7bcb847c7e7c7

SHA256
20d629674ec0fc8ce0f7c3c6761bea3622c6574946f602fbd571180ce78f41db

SHA512
52a89fb70c0c8e626760739ccc4e0dfa41b258ea1c0a5a913bb26d8f008a4a257db59e94b9acfb60e2ca0c06181101079699a1d4aa9e3995ed600ab95ad91fec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1r43cwg2\CSC9A4074BFE20C484798AA12EF3E3A3550.TMP

Filesize
652B

MD5
a9c9e8a5c7aad09c86fb4c79e8c7301c

SHA1
dd621de2cad5e3f66dcea35fddc048aedeefddda

SHA256
fa9d7e6f23cb5a213ac3ce892af691b7db92cab083cde99e98593e53eb7921e5

SHA512
5e048c099a2eff95dec4c5f447a94321b012e82b72cf2feb3ce272f7edd8dcac01013c4bdac5d5c7f202bf2c04d8ad76c65b20d58fa1e0f763e3b1e80183405b

Download Submit
memory/1804-52973-0x00007FF929EC0000-0x00007FF92A981000-memory.dmp

Filesize
10.8MB

Download
memory/1804-52974-0x00007FF929EC0000-0x00007FF92A981000-memory.dmp

Filesize
10.8MB

Download
memory/1804-52976-0x00007FF929EC0000-0x00007FF92A981000-memory.dmp

Filesize
10.8MB

Download
memory/1804-52989-0x0000023EE8110000-0x0000023EE8118000-memory.dmp

Filesize
32KB

Download
memory/1804-52992-0x00007FF929EC0000-0x00007FF92A981000-memory.dmp

Filesize
10.8MB

Download
memory/1956-52962-0x00007FF92A620000-0x00007FF92B0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-52958-0x00007FF92A620000-0x00007FF92B0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-52948-0x00007FF92A620000-0x00007FF92B0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-52947-0x000001A24FC50000-0x000001A24FC72000-memory.dmp

Filesize
136KB

Download
memory/1956-52946-0x00007FF92A623000-0x00007FF92A625000-memory.dmp

Filesize
8KB

Download