Analysis
-
max time kernel
149s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-08-2020 21:25
Static task
static1
Behavioral task
behavioral1
Sample
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
Resource
win10
General
-
Target
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
-
Size
69KB
-
MD5
f0cc568491cd523d2677d938f163395f
-
SHA1
ca05a4cde0ba40983381b2f91c9ecee672c69262
-
SHA256
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86
-
SHA512
acaa24ed418feb3dbfedae933859f43adfbb2442fd1fb46baadc5235006ee4c0a1b9ed1b4a1e2514ea7fc43d7fac0b768776e43d1452d4a47fd968c0aa0c46ba
Malware Config
Extracted
C:\Program Files (x86)\Common Files\Adobe AIR\E32E7D-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Desktop\E32E7D-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\E32E7D-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker
Ransomware believed to be a variant of MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartComplete.tif => C:\Users\Admin\Pictures\StartComplete.tif.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\ResumeUninstall.png => C:\Users\Admin\Pictures\ResumeUninstall.png.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\MoveMeasure.png => C:\Users\Admin\Pictures\MoveMeasure.png.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\RepairConvert.raw => C:\Users\Admin\Pictures\RepairConvert.raw.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\UnblockRedo.tif => C:\Users\Admin\Pictures\UnblockRedo.tif.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\SearchShow.png => C:\Users\Admin\Pictures\SearchShow.png.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\PopJoin.tif => C:\Users\Admin\Pictures\PopJoin.tif.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\TestReset.tiff => C:\Users\Admin\Pictures\TestReset.tiff.e32e7d f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Users\Admin\Pictures\TestReset.tiff f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2664 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 7495 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0186364.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0285698.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\HST f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\default_apps\E32E7D-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\E32E7D-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR27F.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\StopFormat.scf f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\E32E7D-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\fa.pak f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\E32E7D-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\default_apps\youtube.crx f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\ResumeTest.AAC f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\E32E7D-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XML f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 528 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2696 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 18061 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exepid process 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe Token: SeImpersonatePrivilege 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe Token: SeBackupPrivilege 6700 vssvc.exe Token: SeRestorePrivilege 6700 vssvc.exe Token: SeAuditPrivilege 6700 vssvc.exe Token: SeDebugPrivilege 2696 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exedescription pid process target process PID 1436 wrote to memory of 528 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe vssadmin.exe PID 1436 wrote to memory of 528 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe vssadmin.exe PID 1436 wrote to memory of 528 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe vssadmin.exe PID 1436 wrote to memory of 528 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe vssadmin.exe PID 1436 wrote to memory of 5896 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 1436 wrote to memory of 5896 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 1436 wrote to memory of 5896 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 1436 wrote to memory of 5896 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 1436 wrote to memory of 2664 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 1436 wrote to memory of 2664 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 1436 wrote to memory of 2664 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 1436 wrote to memory of 2664 1436 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 2664 wrote to memory of 2696 2664 cmd.exe taskkill.exe PID 2664 wrote to memory of 2696 2664 cmd.exe taskkill.exe PID 2664 wrote to memory of 2696 2664 cmd.exe taskkill.exe PID 2664 wrote to memory of 2696 2664 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe"C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E32E7D-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\A6D9.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 14363⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A6D9.tmp.bat
-
C:\Users\Admin\Desktop\E32E7D-Readme.txt
-
memory/528-0-0x0000000000000000-mapping.dmp
-
memory/2664-6-0x0000000000000000-mapping.dmp
-
memory/2696-10-0x0000000000000000-mapping.dmp
-
memory/5896-3-0x0000000000000000-mapping.dmp