Analysis
-
max time kernel
74s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
20-08-2020 21:25
Static task
static1
Behavioral task
behavioral1
Sample
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
Resource
win10
General
-
Target
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe
-
Size
69KB
-
MD5
f0cc568491cd523d2677d938f163395f
-
SHA1
ca05a4cde0ba40983381b2f91c9ecee672c69262
-
SHA256
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86
-
SHA512
acaa24ed418feb3dbfedae933859f43adfbb2442fd1fb46baadc5235006ee4c0a1b9ed1b4a1e2514ea7fc43d7fac0b768776e43d1452d4a47fd968c0aa0c46ba
Malware Config
Extracted
C:\odt\0E9E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\AppData\Roaming\0E9E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\0E9E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\0E9E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\0E9E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\Java\jdk1.8.0_66\lib\0E9E94-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker
Ransomware believed to be a variant of MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CompleteConfirm.tiff f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\OpenReceive.tif => C:\Users\Admin\Pictures\OpenReceive.tif.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\UnprotectRedo.raw => C:\Users\Admin\Pictures\UnprotectRedo.raw.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\ResetMove.tiff => C:\Users\Admin\Pictures\ResetMove.tiff.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\MergeRestart.crw => C:\Users\Admin\Pictures\MergeRestart.crw.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\UpdateEnter.tif => C:\Users\Admin\Pictures\UpdateEnter.tif.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Users\Admin\Pictures\ResetMove.tiff f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\CompleteConfirm.tiff => C:\Users\Admin\Pictures\CompleteConfirm.tiff.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\ReadBackup.png => C:\Users\Admin\Pictures\ReadBackup.png.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File renamed C:\Users\Admin\Pictures\AssertDisconnect.raw => C:\Users\Admin\Pictures\AssertDisconnect.raw.0e9e94 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 17073 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\slide_in.wav f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_2.jpg f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-96_altform-unplated.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\0E9E94-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer14.xml f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gn_16x11.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\0E9E94-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_40x40x32.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Effects\effects_lobby_bubbles.jpg f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-100.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\0E9E94-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\0E9E94-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\x-none\Office.x-none.msi.16_postcommon.mcxml f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bb_60x42.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gt_60x42.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-200.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_none.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-200.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bv_60x42.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_40x40x32.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-400.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\0E9E94-Readme.txt f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-300.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\LightedTextured_PixelLighting_VS.fxo f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-200.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\SmallTile.scale-200.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags@2x.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Light.scale-240.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\Dismiss.scale-64.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_40x40x32.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-200.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_UK-UA.respack f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W3.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\questfallback.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_40x40x32.png f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3916 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3668 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 11897 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exepid process 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe Token: SeImpersonatePrivilege 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe Token: SeBackupPrivilege 5584 vssvc.exe Token: SeRestorePrivilege 5584 vssvc.exe Token: SeAuditPrivilege 5584 vssvc.exe Token: SeDebugPrivilege 3668 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.execmd.exedescription pid process target process PID 3932 wrote to memory of 3916 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe vssadmin.exe PID 3932 wrote to memory of 3916 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe vssadmin.exe PID 3932 wrote to memory of 7288 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 3932 wrote to memory of 7288 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 3932 wrote to memory of 7288 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe notepad.exe PID 3932 wrote to memory of 3688 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 3932 wrote to memory of 3688 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 3932 wrote to memory of 3688 3932 f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe cmd.exe PID 3688 wrote to memory of 3668 3688 cmd.exe taskkill.exe PID 3688 wrote to memory of 3668 3688 cmd.exe taskkill.exe PID 3688 wrote to memory of 3668 3688 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe"C:\Users\Admin\AppData\Local\Temp\f2215e1a848bc5a5d172745201ea428b1d16fee7c814c5c5180a94a134592e86.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\0E9E94-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8651.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 39323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8651.tmp.bat
-
C:\Users\Admin\Desktop\0E9E94-Readme.txt
-
memory/3668-4-0x0000000000000000-mapping.dmp
-
memory/3688-2-0x0000000000000000-mapping.dmp
-
memory/3916-0-0x0000000000000000-mapping.dmp
-
memory/7288-1-0x0000000000000000-mapping.dmp