IRSdeclaration‮cod.exe

General
Target

IRSdeclaration‮cod.exe

Filesize

282KB

Completed

15-10-2020 14:01

Score
10/10
MD5

fe3fd53ddc7c229b1150d970a05947c0

SHA1

3abeddbbbd29310290955cc7c1a895550c92ab96

SHA256

c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72

Malware Config

Extracted

Path C:\5138E8-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\5138E8-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path C:\Program Files\5138E8-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures 11

Filter: none

Collection
Credential Access
Defense Evasion
Impact
Persistence
  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    IRSdeclaration‮cod.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\CheckpointSuspend.png => C:\Users\Admin\Pictures\CheckpointSuspend.png.5138e8IRSdeclaration‮cod.exe
    File renamedC:\Users\Admin\Pictures\ResolveFind.tiff => C:\Users\Admin\Pictures\ResolveFind.tiff.5138e8IRSdeclaration‮cod.exe
    File renamedC:\Users\Admin\Pictures\ExportSwitch.png => C:\Users\Admin\Pictures\ExportSwitch.png.5138e8IRSdeclaration‮cod.exe
    File renamedC:\Users\Admin\Pictures\GrantProtect.png => C:\Users\Admin\Pictures\GrantProtect.png.5138e8IRSdeclaration‮cod.exe
    File opened for modificationC:\Users\Admin\Pictures\ResolveFind.tiffIRSdeclaration‮cod.exe
    File renamedC:\Users\Admin\Pictures\HideSuspend.tif => C:\Users\Admin\Pictures\HideSuspend.tif.5138e8IRSdeclaration‮cod.exe
    File renamedC:\Users\Admin\Pictures\LockBackup.tiff => C:\Users\Admin\Pictures\LockBackup.tiff.5138e8IRSdeclaration‮cod.exe
    File renamedC:\Users\Admin\Pictures\RedoHide.tiff => C:\Users\Admin\Pictures\RedoHide.tiff.5138e8IRSdeclaration‮cod.exe
    File opened for modificationC:\Users\Admin\Pictures\LockBackup.tiffIRSdeclaration‮cod.exe
    File opened for modificationC:\Users\Admin\Pictures\RedoHide.tiffIRSdeclaration‮cod.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
  • Drops file in Program Files directory
    IRSdeclaration‮cod.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\de.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\MedTile.scale-200.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.moIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ui-strings.jsIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.datIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cg_16x11.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svgIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-up.mobile.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Icons\tripeaks.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-VIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cu_60x42.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\images\mecontrol.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-125.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\new_collection_available.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-200.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-150.pngIRSdeclaration‮cod.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\5138E8-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.jsIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80_altform-unplated.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\MedTile.scale-100.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg5_thumb.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gifIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-msIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-200.pngIRSdeclaration‮cod.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\FPA_f3\5138E8-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotxIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\Emboss.scale-140.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Badges\NewCollection.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-36_altform-unplated.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\trainengine.3mfIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_20x20x32.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.jsIRSdeclaration‮cod.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\5138E8-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.moIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-high.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Awards_cup.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-150_contrast-black.pngIRSdeclaration‮cod.exe
    File createdC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\5138E8-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.jsIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkDrop32x32.gifIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\ui-strings.jsIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_cardback.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36_altform-unplated.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\lu_16x11.pngIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.priIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svgIRSdeclaration‮cod.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    3692vssadmin.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    7104taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    IRSdeclaration‮cod.exe

    Reported IOCs

    pidprocess
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
    3944IRSdeclaration‮cod.exe
  • Suspicious use of AdjustPrivilegeToken
    IRSdeclaration‮cod.exevssvc.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3944IRSdeclaration‮cod.exe
    Token: SeImpersonatePrivilege3944IRSdeclaration‮cod.exe
    Token: SeBackupPrivilege5580vssvc.exe
    Token: SeRestorePrivilege5580vssvc.exe
    Token: SeAuditPrivilege5580vssvc.exe
    Token: SeDebugPrivilege7104taskkill.exe
  • Suspicious use of WriteProcessMemory
    IRSdeclaration‮cod.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3944 wrote to memory of 36923944IRSdeclaration‮cod.exevssadmin.exe
    PID 3944 wrote to memory of 36923944IRSdeclaration‮cod.exevssadmin.exe
    PID 3944 wrote to memory of 81803944IRSdeclaration‮cod.exenotepad.exe
    PID 3944 wrote to memory of 81803944IRSdeclaration‮cod.exenotepad.exe
    PID 3944 wrote to memory of 81803944IRSdeclaration‮cod.exenotepad.exe
    PID 3944 wrote to memory of 73843944IRSdeclaration‮cod.execmd.exe
    PID 3944 wrote to memory of 73843944IRSdeclaration‮cod.execmd.exe
    PID 3944 wrote to memory of 73843944IRSdeclaration‮cod.execmd.exe
    PID 7384 wrote to memory of 71047384cmd.exetaskkill.exe
    PID 7384 wrote to memory of 71047384cmd.exetaskkill.exe
    PID 7384 wrote to memory of 71047384cmd.exetaskkill.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe
    "C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe"
    Modifies extensions of user files
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      Interacts with shadow copies
      PID:3692
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\5138E8-Readme.txt"
      PID:8180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\E07D.tmp.bat"
      Suspicious use of WriteProcessMemory
      PID:7384
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 3944
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        PID:7104
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:5580
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\E07D.tmp.bat

                  MD5

                  70d09fa719ebb277ef5dcb76c7060664

                  SHA1

                  d2c588d4524bab81cda6d6d988b2726fbaddd2b2

                  SHA256

                  88da1c28de6226e2092ff2ea5e7b3f000aed95794e502eef9c00bcc2fb7d4845

                  SHA512

                  8806c8bc5baf67d89c4d546395e1e5206f658b55bde8b7271290686ecbbae5a5f54ed338213b26f767db243c46c1affda5dce64d8021208dab9159ae59b90f83

                • C:\Users\Admin\Desktop\5138E8-Readme.txt

                  MD5

                  fa68eea91e52b87c18a98ca8cd8a0ab9

                  SHA1

                  94dfe79a6d6dc9ab25cec05a5dacaef9edde6386

                  SHA256

                  a997318e47d2231cf3d8ecdc337d54af84b5fadf84bd6070e75529f3087c7137

                  SHA512

                  fed6bf7636f42344595ddbd878b0e33a8f7d1e924e71bfea6ba491994e63e345dcf3eb2c17c3148a48e5d0320377cbbd45d46597de9d1a007ddd66207d5991c0

                • memory/3692-0-0x0000000000000000-mapping.dmp

                • memory/7104-4-0x0000000000000000-mapping.dmp

                • memory/7384-2-0x0000000000000000-mapping.dmp

                • memory/8180-1-0x0000000000000000-mapping.dmp