General
Target

f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

Filesize

69KB

Completed

20-08-2020 21:27

Task

behavioral1

Score
10/10
MD5

f0cc568491cd523d2677d938f163395f

SHA1

ca05a4cde0ba40983381b2f91c9ecee672c69262

SHA256

f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86

SHA256

acaa24ed418feb3dbfedae933859f43adfbb2442fd1fb46baadc5235006ee4c0a1b9ed1b4a1e2514ea7fc43d7fac0b768776e43d1452d4a47fd968c0aa0c46ba

Malware Config

Extracted

Path

C:\Program Files (x86)\Common Files\Adobe AIR\E32E7D-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e32e7d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e32e7d: ycBxeCylf7v960ltbz38yR/WNNbwG/1LPZGMeO7OS2wRX4jEzy N4Upo1wMkP5r6753TkoqbJpoSmYaZGOiv7oqL3fCvNoW8CxS9i HLSsOySjCSkxszmtKd8mkyOTisc/L8wN/32SZQOY4jrGpMc4EJ MoB85fTfyoT+AExrrqu9ez1+VjAxvgWwaYwN0gIPUcjPoS/fKT 13fJQ4enarOINDRLQlbALiQ51zekgTFGJsJ7iRerR9XhohXy3L KtsvPCsSQh7Jv0vk0qem+8sXf158772x6RUijIgw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\Desktop\E32E7D-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e32e7d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e32e7d: ycBxeCylf7v960ltbz38yR/WNNbwG/1LPZGMeO7OS2wRX4jEzy N4Upo1wMkP5r6753TkoqbJpoSmYaZGOiv7oqL3fCvNoW8CxS9i HLSsOySjCSkxszmtKd8mkyOTisc/L8wN/32SZQOY4jrGpMc4EJ MoB85fTfyoT+AExrrqu9ez1+VjAxvgWwaYwN0gIPUcjPoS/fKT 13fJQ4enarOINDRLQlbALiQ51zekgTFGJsJ7iRerR9XhohXy3L KtsvPCsSQh7Jv0vk0qem+8sXf158772x6RUijIgw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e32e7d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e32e7d: ycBxeCylf7v960ltbz38yR/WNNbwG/1LPZGMeO7OS2wRX4jEzy N4Upo1wMkP5r6753TkoqbJpoSmYaZGOiv7oqL3fCvNoW8CxS9i HLSsOySjCSkxszmtKd8mkyOTisc/L8wN/32SZQOY4jrGpMc4EJ MoB85fTfyoT+AExrrqu9ez1+VjAxvgWwaYwN0gIPUcjPoS/fKT 13fJQ4enarOINDRLQlbALiQ51zekgTFGJsJ7iRerR9XhohXy3L KtsvPCsSQh7Jv0vk0qem+8sXf158772x6RUijIgw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\E32E7D-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e32e7d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e32e7d: ycBxeCylf7v960ltbz38yR/WNNbwG/1LPZGMeO7OS2wRX4jEzy N4Upo1wMkP5r6753TkoqbJpoSmYaZGOiv7oqL3fCvNoW8CxS9i HLSsOySjCSkxszmtKd8mkyOTisc/L8wN/32SZQOY4jrGpMc4EJ MoB85fTfyoT+AExrrqu9ez1+VjAxvgWwaYwN0gIPUcjPoS/fKT 13fJQ4enarOINDRLQlbALiQ51zekgTFGJsJ7iRerR9XhohXy3L KtsvPCsSQh7Jv0vk0qem+8sXf158772x6RUijIgw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e32e7d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e32e7d: ycBxeCylf7v960ltbz38yR/WNNbwG/1LPZGMeO7OS2wRX4jEzy N4Upo1wMkP5r6753TkoqbJpoSmYaZGOiv7oqL3fCvNoW8CxS9i HLSsOySjCSkxszmtKd8mkyOTisc/L8wN/32SZQOY4jrGpMc4EJ MoB85fTfyoT+AExrrqu9ez1+VjAxvgWwaYwN0gIPUcjPoS/fKT 13fJQ4enarOINDRLQlbALiQ51zekgTFGJsJ7iRerR9XhohXy3L KtsvPCsSQh7Jv0vk0qem+8sXf158772x6RUijIgw==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .e32e7d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_e32e7d: ycBxeCylf7v960ltbz38yR/WNNbwG/1LPZGMeO7OS2wRX4jEzy N4Upo1wMkP5r6753TkoqbJpoSmYaZGOiv7oqL3fCvNoW8CxS9i HLSsOySjCSkxszmtKd8mkyOTisc/L8wN/32SZQOY4jrGpMc4EJ MoB85fTfyoT+AExrrqu9ez1+VjAxvgWwaYwN0gIPUcjPoS/fKT 13fJQ4enarOINDRLQlbALiQ51zekgTFGJsJ7iRerR9XhohXy3L KtsvPCsSQh7Jv0vk0qem+8sXf158772x6RUijIgw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures 12

Filter: none

Collection
Credential Access
Defense Evasion
Impact
Persistence
  • Netwalker

    Description

    Ransomware believed to be a variant of MailTo.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\StartComplete.tif => C:\Users\Admin\Pictures\StartComplete.tif.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\ResumeUninstall.png => C:\Users\Admin\Pictures\ResumeUninstall.png.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\MoveMeasure.png => C:\Users\Admin\Pictures\MoveMeasure.png.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\RepairConvert.raw => C:\Users\Admin\Pictures\RepairConvert.raw.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\UnblockRedo.tif => C:\Users\Admin\Pictures\UnblockRedo.tif.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\SearchShow.png => C:\Users\Admin\Pictures\SearchShow.png.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\PopJoin.tif => C:\Users\Admin\Pictures\PopJoin.tif.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File renamedC:\Users\Admin\Pictures\TestReset.tiff => C:\Users\Admin\Pictures\TestReset.tiff.e32e7df2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Users\Admin\Pictures\TestReset.tifff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    2664cmd.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Drops file in Program Files directory
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0186364.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XMLf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Centerf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\an.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fcaf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.htmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0285698.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassauf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.pngf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luisf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\HSTf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\default_apps\E32E7D-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jarf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\E32E7D-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanalf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zipf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAVf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Phoenixf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105410.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099204.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\en.tttf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR27F.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0291794.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproductf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Argentina\Saltaf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jarf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jarf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\StopFormat.scff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPGf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\Easterf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\E32E7D-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\fa.pakf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.giff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\fa.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\E32E7D-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\default_apps\youtube.crxf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.giff2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMPf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXTf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0175361.JPGf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XMLf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\kk.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsawf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\ResumeTest.AACf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.htmlf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File createdC:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\E32E7D-Readme.txtf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDAf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XMLf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIFf2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    528vssadmin.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    2696taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe

    Reported IOCs

    pidprocess
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssvc.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    Token: SeImpersonatePrivilege1436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    Token: SeBackupPrivilege6700vssvc.exe
    Token: SeRestorePrivilege6700vssvc.exe
    Token: SeAuditPrivilege6700vssvc.exe
    Token: SeDebugPrivilege2696taskkill.exe
  • Suspicious use of WriteProcessMemory
    f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1436 wrote to memory of 5281436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssadmin.exe
    PID 1436 wrote to memory of 5281436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssadmin.exe
    PID 1436 wrote to memory of 5281436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssadmin.exe
    PID 1436 wrote to memory of 5281436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssadmin.exe
    PID 1436 wrote to memory of 58961436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 1436 wrote to memory of 58961436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 1436 wrote to memory of 58961436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 1436 wrote to memory of 58961436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exenotepad.exe
    PID 1436 wrote to memory of 26641436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 1436 wrote to memory of 26641436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 1436 wrote to memory of 26641436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 1436 wrote to memory of 26641436f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exe
    PID 2664 wrote to memory of 26962664cmd.exetaskkill.exe
    PID 2664 wrote to memory of 26962664cmd.exetaskkill.exe
    PID 2664 wrote to memory of 26962664cmd.exetaskkill.exe
    PID 2664 wrote to memory of 26962664cmd.exetaskkill.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe"
    Modifies extensions of user files
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      Interacts with shadow copies
      PID:528
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E32E7D-Readme.txt"
      PID:5896
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\A6D9.tmp.bat"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1436
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        PID:2696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:6700
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\A6D9.tmp.bat

                • C:\Users\Admin\Desktop\E32E7D-Readme.txt

                • memory/528-0-0x0000000000000000-mapping.dmp

                • memory/2664-6-0x0000000000000000-mapping.dmp

                • memory/2696-10-0x0000000000000000-mapping.dmp

                • memory/5896-3-0x0000000000000000-mapping.dmp