Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
07-10-2020 17:22
Static task
static1
Behavioral task
behavioral1
Sample
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe
Resource
win10
General
-
Target
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe
-
Size
69KB
-
MD5
ab8d59aba3dc3c4be755255eca51d879
-
SHA1
24d2abc132f1337f3bf2dd582efb00e5ac911161
-
SHA256
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9
-
SHA512
0b1f3a51d6a3006c39f0a4b6ad861944fa9484920d41d68a00d7e88819a732c8bbee9d90da5c6e2c816b5e7cd13a9a35f6a26c85e29a3c3841f59e5cfab87a1e
Malware Config
Extracted
C:\Program Files (x86)\MSBuild\641F7F-Readme.txt
mailto_hamlampampom
Extracted
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\641F7F-Readme.txt
mailto_hamlampampom
Extracted
C:\Program Files\Microsoft Office\Stationery\1033\641F7F-Readme.txt
mailto_hamlampampom
Signatures
-
MailTo (Hamlampampom Variant)
Ransomware family discovered in late 2019 with variants named based on contact emails.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddOpen.tif => C:\Users\Admin\Pictures\AddOpen.tif.641f7f 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File renamed C:\Users\Admin\Pictures\WaitExit.tif => C:\Users\Admin\Pictures\WaitExit.tif.641f7f 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File renamed C:\Users\Admin\Pictures\OptimizeSave.png => C:\Users\Admin\Pictures\OptimizeSave.png.641f7f 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 5196 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 7495 IoCs
Processes:
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen.css 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\chrome.exe.sig 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\641F7F-Readme.txt 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_1.jtp 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Discussion.css 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Andorra 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File created C:\Program Files\Microsoft Office\Office14\1033\Bibliography\641F7F-Readme.txt 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dili 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18204_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO01044_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01772_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\AIR98.POC 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Hermosillo 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00941_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR25F.GIF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PROOF\MSHY7ES.LEX 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00438_.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\641F7F-Readme.txt 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXC 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\XMLSDK5.CHM 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02752G.GIF 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1628 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5448 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 11896 IoCs
Processes:
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exepid process 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe Token: SeImpersonatePrivilege 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe Token: SeBackupPrivilege 7116 vssvc.exe Token: SeRestorePrivilege 7116 vssvc.exe Token: SeAuditPrivilege 7116 vssvc.exe Token: SeDebugPrivilege 5448 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.execmd.exedescription pid process target process PID 1688 wrote to memory of 1628 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe vssadmin.exe PID 1688 wrote to memory of 1628 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe vssadmin.exe PID 1688 wrote to memory of 1628 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe vssadmin.exe PID 1688 wrote to memory of 1628 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe vssadmin.exe PID 1688 wrote to memory of 3112 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe notepad.exe PID 1688 wrote to memory of 3112 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe notepad.exe PID 1688 wrote to memory of 3112 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe notepad.exe PID 1688 wrote to memory of 3112 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe notepad.exe PID 1688 wrote to memory of 5196 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe cmd.exe PID 1688 wrote to memory of 5196 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe cmd.exe PID 1688 wrote to memory of 5196 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe cmd.exe PID 1688 wrote to memory of 5196 1688 46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe cmd.exe PID 5196 wrote to memory of 5448 5196 cmd.exe taskkill.exe PID 5196 wrote to memory of 5448 5196 cmd.exe taskkill.exe PID 5196 wrote to memory of 5448 5196 cmd.exe taskkill.exe PID 5196 wrote to memory of 5448 5196 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe"C:\Users\Admin\AppData\Local\Temp\46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9.bin.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\641F7F-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\97DC.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 16883⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\97DC.tmp.batMD5
d70398154488e9ed77766fb3e8c18811
SHA1dbed2c7fdb82ea2544323f321a0cf75fba690f51
SHA25665665290e6f796e6c64b2a889a3336b13ac6fdb78dc49c8e92bebaa8efd6084a
SHA512c5769d6dbffbaf565a87a0f2a20952db2b817a9ab4217fd6792908017050c3d06f9fe8c2980c4965013afeca826d3b072412fa897674c89508d50f1290728cc1
-
C:\Users\Admin\Desktop\641F7F-Readme.txtMD5
8da07ea4af145d7bee650cd73b788e6a
SHA1bbe245442a1e725a382147ebdf647bbf5d00ac31
SHA256b855ef2eb0bb855a44e2888db7f6d2f0a888d77c819d3630dd05c7c3a4fc5c5d
SHA5123995f9002bf27153dfacf141fb44467630521607be9c5939d234155978a9ff4dd40e817b7c002a0876978cdc54f02400f081fd056c48d0d623a18f04822f25e8
-
memory/1628-0-0x0000000000000000-mapping.dmp
-
memory/3112-3-0x0000000000000000-mapping.dmp
-
memory/5196-6-0x0000000000000000-mapping.dmp
-
memory/5448-10-0x0000000000000000-mapping.dmp